Solved

Routing traffic between 2 interfaces on PIX 515 E.

Posted on 2006-07-19
9
900 Views
Last Modified: 2013-11-16
Hello
I have a PIX 515 E with 3 interfaces. outside , inside , DMZ.
the outside interface has a public ip address and is connected to a dsl router.
the inside interface is where all of my clients and servers have configured as the default gateway. The address space is 192.168.10.0 / 24
the DMZ interface is not being used at the moment.
I have a private DSL line coming from another company that we do business with. The address space is 172.16.1.0 / 24. Is there any way I can connect this private DSL router to the DMZ interface and have computers on the other side of the DSL line connect to a few of my servers on the inside? I would like the DSL clients (172.16.1.0 / 24) to have access to a couple of my servers (192.168.10.21 and .22 for example.)

Please let me know what I need to do.
0
Comment
Question by:eggster34
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17140257
having clients on the dmz access clients on the inside is easy
the biggest problem you have is having some sort of router in place on the dmz as the gateway stating that internet traffic goes to the new DSL line whereas the 192.168.10.0/24 traffic goes to the 515

Add these lines to your pix
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

then
clear xlate

That will allow the translations to happen between the two interfaces, however you still need to add an acl to the dmz interface to allow the actual traffic to pass
0
 

Author Comment

by:eggster34
ID: 17140903
oh. the dsl line does not have internet on it. it terminates on the remote end on another cisco router with a local ip address.
the dsl line on the dmz interface will only be used for connectivity between site A (this site) and site B (the remote end where the DSL terminates.)
in other words the dmz will only be for traffic between 192.168.10.x and 172.16.10.x hosts and nothing else. all internet activity is over the internet DSL which is connected to the outside interface of the pix..

based on this new information, are your suggestions above still valid?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17140977
umm, probably not.  do you mean your setup is like this

  Site A                                                                                                                                     Site B
  LAN                <---> PIX 515 <---> DSL <----> Internet <---> DSL <--->Router <--->  LAN
192.168.10.x                                                                                                                           172.16.10.x

If that is what you are trying to do, then what you want is a site to site VPN.  I know how to do it with PIX/ASA devices on 6.X and 7.X, but I've never done it on a router so can't help you there.  Let me know.  Also what does the NATing on the Site B side.  I can give you the config for Site A for the pix though
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:eggster34
ID: 17143087
that's a great suggestion but they don't want a site to site vpn.
I know it's very stupid but they only want a private DSL line between 2 sites. There's no internet in between.

it's like this.
DMZ interface:
Site A LAN <--> PIX 515 <--> Router / DSL Modem <--> Private DSL <--> Router / DSL Modem <--> Another Firewall <--> LAN
Outside interface:
Site A LAN <--> PIX 515 <--> DSL Modem <--> Internet DSL <--> Internet

I just want to have traffic between the inside network of 192.168.10.0 and the DMZ network of 172.16.10.0 where members of each network can reach each other as if the PIX is actually a router, routing packets back and forth between its inside and DMZ interfaces.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17143620
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.22 eq <service>

route dmz 172.16.1.0 255.255.255.0 <OtherEndOf the DSL>

These configurations will allow the 172.16.1.x network to access .21 and .22 hosts on your internal network. Now can you put the respective ip addresses the in the diagram you made above and post it ? The rest of the routing should be taken care by the 2 DSL routers

Hope that helps.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17146276
I will try this on Tuesday and let you know how it goes. Many thanks indeed.
0
 

Author Comment

by:eggster34
ID: 17146792
I couldn't wait until tuesday. let's think about my network as this:

PIX 515: inside interface: 192.168.10.1 dmz interface 172.16.10.1 outside interface: 212.26.4.x.

inside hosts see the pix as their default gateway and the pix does NAt for inside clients to reach the internet.

let's say I have a single laptop connected to the dmz interface where the laptop has the ip: 172.16.10.2
I have 2 hosts that I'd like to reach on the inside network, 192.168.10.21 and 10.22

How can I establish full access from the laptop to these internal hosts, and from these internal hosts to the laptop.
If you could tell me step by step, I'm sure I can figure out the rest.

many thanks again.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17147820
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.22 eq <service>

access-group DMZ_IN in interface DMZ

Try the above.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17150554
thanks. I'll let you know on Tuesday and I'm sure it will work.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question