Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 913
  • Last Modified:

Routing traffic between 2 interfaces on PIX 515 E.

Hello
I have a PIX 515 E with 3 interfaces. outside , inside , DMZ.
the outside interface has a public ip address and is connected to a dsl router.
the inside interface is where all of my clients and servers have configured as the default gateway. The address space is 192.168.10.0 / 24
the DMZ interface is not being used at the moment.
I have a private DSL line coming from another company that we do business with. The address space is 172.16.1.0 / 24. Is there any way I can connect this private DSL router to the DMZ interface and have computers on the other side of the DSL line connect to a few of my servers on the inside? I would like the DSL clients (172.16.1.0 / 24) to have access to a couple of my servers (192.168.10.21 and .22 for example.)

Please let me know what I need to do.
0
eggster34
Asked:
eggster34
  • 5
  • 2
  • 2
1 Solution
 
Cyclops3590Commented:
having clients on the dmz access clients on the inside is easy
the biggest problem you have is having some sort of router in place on the dmz as the gateway stating that internet traffic goes to the new DSL line whereas the 192.168.10.0/24 traffic goes to the 515

Add these lines to your pix
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

then
clear xlate

That will allow the translations to happen between the two interfaces, however you still need to add an acl to the dmz interface to allow the actual traffic to pass
0
 
eggster34Author Commented:
oh. the dsl line does not have internet on it. it terminates on the remote end on another cisco router with a local ip address.
the dsl line on the dmz interface will only be used for connectivity between site A (this site) and site B (the remote end where the DSL terminates.)
in other words the dmz will only be for traffic between 192.168.10.x and 172.16.10.x hosts and nothing else. all internet activity is over the internet DSL which is connected to the outside interface of the pix..

based on this new information, are your suggestions above still valid?
0
 
Cyclops3590Commented:
umm, probably not.  do you mean your setup is like this

  Site A                                                                                                                                     Site B
  LAN                <---> PIX 515 <---> DSL <----> Internet <---> DSL <--->Router <--->  LAN
192.168.10.x                                                                                                                           172.16.10.x

If that is what you are trying to do, then what you want is a site to site VPN.  I know how to do it with PIX/ASA devices on 6.X and 7.X, but I've never done it on a router so can't help you there.  Let me know.  Also what does the NATing on the Site B side.  I can give you the config for Site A for the pix though
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
eggster34Author Commented:
that's a great suggestion but they don't want a site to site vpn.
I know it's very stupid but they only want a private DSL line between 2 sites. There's no internet in between.

it's like this.
DMZ interface:
Site A LAN <--> PIX 515 <--> Router / DSL Modem <--> Private DSL <--> Router / DSL Modem <--> Another Firewall <--> LAN
Outside interface:
Site A LAN <--> PIX 515 <--> DSL Modem <--> Internet DSL <--> Internet

I just want to have traffic between the inside network of 192.168.10.0 and the DMZ network of 172.16.10.0 where members of each network can reach each other as if the PIX is actually a router, routing packets back and forth between its inside and DMZ interfaces.
0
 
rsivanandanCommented:
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.22 eq <service>

route dmz 172.16.1.0 255.255.255.0 <OtherEndOf the DSL>

These configurations will allow the 172.16.1.x network to access .21 and .22 hosts on your internal network. Now can you put the respective ip addresses the in the diagram you made above and post it ? The rest of the routing should be taken care by the 2 DSL routers

Hope that helps.

Cheers,
Rajesh
0
 
eggster34Author Commented:
I will try this on Tuesday and let you know how it goes. Many thanks indeed.
0
 
eggster34Author Commented:
I couldn't wait until tuesday. let's think about my network as this:

PIX 515: inside interface: 192.168.10.1 dmz interface 172.16.10.1 outside interface: 212.26.4.x.

inside hosts see the pix as their default gateway and the pix does NAt for inside clients to reach the internet.

let's say I have a single laptop connected to the dmz interface where the laptop has the ip: 172.16.10.2
I have 2 hosts that I'd like to reach on the inside network, 192.168.10.21 and 10.22

How can I establish full access from the laptop to these internal hosts, and from these internal hosts to the laptop.
If you could tell me step by step, I'm sure I can figure out the rest.

many thanks again.
0
 
rsivanandanCommented:
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.22 eq <service>

access-group DMZ_IN in interface DMZ

Try the above.

Cheers,
Rajesh
0
 
eggster34Author Commented:
thanks. I'll let you know on Tuesday and I'm sure it will work.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now