• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 290
  • Last Modified:

Connect two PIX firewalls

I have two networks in the same building.
Network one is on a ip 10.64.1.0 and network two is on 10.247.1.0
I have a PIX 515 on the 10.64 net and a PIX 520 on the 10.247 net.
I am trying to connect to a exchange server at 10.247.121.1.5 from
the 10.64.1.0 network.  I have attempted to bridge the network via
server 2003.  The exchange server is also 2003.  I can ping inside
on the 10.64.1.0 net to the 10.64.1.23 ip of the bridge.  Outside
the city, I have several sites throughout the state, which cannot ping.
My current plan is to attempt to connect the two pix's together
(they are in the same server room) with a second interface in each
via a cross over cable.

Can anyone provide me with what my config should look like?
The pix's are running 4x software.
0
Heath Calhoun
Asked:
Heath Calhoun
  • 4
  • 4
1 Solution
 
rsivanandanCommented:
4x ? I would first suggest you to upgrade it to 6.3(5) because your configuration is going to involve a lot of nat exclusions and stuff like that. The most stable version is 6.3(5).

Cheers,
Rajesh
0
 
prueconsultingCommented:
And how are the Pix's configured in the way of

Outside Interface / Inside etc.. Can you provide a small context diagram
0
 
Heath CalhounAuthor Commented:
No smartnet, so unfortunately we can't upgrade.
The last time I tried to upgrade to 5x, after leaving, we had to return to downgrade back to ver 4.  5x stopped the firewall from working.
Also, I have a bunch of conduits setup to work.  Unless they have changed, I don't like the fact that the firewall stops checking for matches
after it finds the first match in a access list.
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
Heath CalhounAuthor Commented:
Maybe this helps.
Pix 10.64 resides on a state dps network going through a dps firwall to get to the outside.
Pix 10.247 resides on the state its network to get out.
Both pix's are in the same computer room.

The 10.247.121.x pix route:
outside 0.0.0.0 0.0.0.0 10.247.126.1 1 OTHEr static
inside 10.247.121.0 255.255.255.0 1 CONNECT static
outside 10.247.0 255.255.255.248 10.247.126.2 1 CONNECT static

The 10.64.163.x pix
outside 0.0.0.0 0.0.0.0 10.64.164.1 1 OTHER static
inside 10.64.163.0 255.255.255.0 10.64.163.1 1 CONNECT static
outside 10.64.164.0 255.255.255.0 10.64.164.2 1 CONNECT static

Both firwalls connect ultimately to the state network and then to the internet.
The 10.64 pix goes through the dps network as well to get through their firewall
to the its network.  The 10.247 pix goes to the its network.
Both firewalls are in the same computer room and need to be tied together with
network cards via a crossover cable.

its network to its firewall, internet
dps network, to dps firewall
router, pix 10.64, switch.

its network to itsfirwall, internet
router, pix 10.247. switch
0
 
prueconsultingCommented:
Build a DMZ network in each on the same subnet .

Ie Pix 1 - 10.10.10.1
Pix 2 - 10.10.10.2

Point the Route on PIX 2 to put 10.247.121.0 through 10.10.10.1
PIX 1 - route 10.64.163.0 via 10.10.10.2

and then build approriate Acls to allow the traffic required.



0
 
Heath CalhounAuthor Commented:
That would keep traffic seperate.
Will I need a static command and then a route?
Can you give me a config?  I've never built a dmz or route on a pix before.
Thanks.
0
 
prueconsultingCommented:
The DMZ is just build using one of the other interfaces installed on the PIX.
You shouldnt require a static at all .
ie

interface ethernet2 100full                                                    
nameif ethernet2 DMZ security50
ip address DMZ 10.10.10.1 255.255.255.0

   
example route commands are as follows

route DMZ 10.247.121.0 255.255.255.0 10.10.10.2 1
route DMZ 10.64.163.0 255.255.255.0 10.10.10.1 1
0
 
Heath CalhounAuthor Commented:
Thanks prueconsulting.  That is basically what we did, except we used static.
0
 
prueconsultingCommented:
Glad to be of assistance
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now