Solved

Connect two PIX firewalls

Posted on 2006-06-17
9
281 Views
Last Modified: 2013-11-16
I have two networks in the same building.
Network one is on a ip 10.64.1.0 and network two is on 10.247.1.0
I have a PIX 515 on the 10.64 net and a PIX 520 on the 10.247 net.
I am trying to connect to a exchange server at 10.247.121.1.5 from
the 10.64.1.0 network.  I have attempted to bridge the network via
server 2003.  The exchange server is also 2003.  I can ping inside
on the 10.64.1.0 net to the 10.64.1.23 ip of the bridge.  Outside
the city, I have several sites throughout the state, which cannot ping.
My current plan is to attempt to connect the two pix's together
(they are in the same server room) with a second interface in each
via a cross over cable.

Can anyone provide me with what my config should look like?
The pix's are running 4x software.
0
Comment
Question by:Heath Calhoun
  • 4
  • 4
9 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16928467
4x ? I would first suggest you to upgrade it to 6.3(5) because your configuration is going to involve a lot of nat exclusions and stuff like that. The most stable version is 6.3(5).

Cheers,
Rajesh
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16929736
And how are the Pix's configured in the way of

Outside Interface / Inside etc.. Can you provide a small context diagram
0
 

Author Comment

by:Heath Calhoun
ID: 16931007
No smartnet, so unfortunately we can't upgrade.
The last time I tried to upgrade to 5x, after leaving, we had to return to downgrade back to ver 4.  5x stopped the firewall from working.
Also, I have a bunch of conduits setup to work.  Unless they have changed, I don't like the fact that the firewall stops checking for matches
after it finds the first match in a access list.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:Heath Calhoun
ID: 16931035
Maybe this helps.
Pix 10.64 resides on a state dps network going through a dps firwall to get to the outside.
Pix 10.247 resides on the state its network to get out.
Both pix's are in the same computer room.

The 10.247.121.x pix route:
outside 0.0.0.0 0.0.0.0 10.247.126.1 1 OTHEr static
inside 10.247.121.0 255.255.255.0 1 CONNECT static
outside 10.247.0 255.255.255.248 10.247.126.2 1 CONNECT static

The 10.64.163.x pix
outside 0.0.0.0 0.0.0.0 10.64.164.1 1 OTHER static
inside 10.64.163.0 255.255.255.0 10.64.163.1 1 CONNECT static
outside 10.64.164.0 255.255.255.0 10.64.164.2 1 CONNECT static

Both firwalls connect ultimately to the state network and then to the internet.
The 10.64 pix goes through the dps network as well to get through their firewall
to the its network.  The 10.247 pix goes to the its network.
Both firewalls are in the same computer room and need to be tied together with
network cards via a crossover cable.

its network to its firewall, internet
dps network, to dps firewall
router, pix 10.64, switch.

its network to itsfirwall, internet
router, pix 10.247. switch
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16944775
Build a DMZ network in each on the same subnet .

Ie Pix 1 - 10.10.10.1
Pix 2 - 10.10.10.2

Point the Route on PIX 2 to put 10.247.121.0 through 10.10.10.1
PIX 1 - route 10.64.163.0 via 10.10.10.2

and then build approriate Acls to allow the traffic required.



0
 

Author Comment

by:Heath Calhoun
ID: 16948075
That would keep traffic seperate.
Will I need a static command and then a route?
Can you give me a config?  I've never built a dmz or route on a pix before.
Thanks.
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 125 total points
ID: 16948274
The DMZ is just build using one of the other interfaces installed on the PIX.
You shouldnt require a static at all .
ie

interface ethernet2 100full                                                    
nameif ethernet2 DMZ security50
ip address DMZ 10.10.10.1 255.255.255.0

   
example route commands are as follows

route DMZ 10.247.121.0 255.255.255.0 10.10.10.2 1
route DMZ 10.64.163.0 255.255.255.0 10.10.10.1 1
0
 

Author Comment

by:Heath Calhoun
ID: 16980867
Thanks prueconsulting.  That is basically what we did, except we used static.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16982706
Glad to be of assistance
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Turn off SIP ALG - Cisco ASA 5505 1 75
access vs trunk with voice vlan 2 44
Point to point connection slow in one direction only 15 49
NAT Public IP through a VPN 17 42
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question