Solved

Routing traffic between 2 interfaces on PIX 515 E.

Posted on 2006-07-19
9
889 Views
Last Modified: 2013-11-16
Hello
I have a PIX 515 E with 3 interfaces. outside , inside , DMZ.
the outside interface has a public ip address and is connected to a dsl router.
the inside interface is where all of my clients and servers have configured as the default gateway. The address space is 192.168.10.0 / 24
the DMZ interface is not being used at the moment.
I have a private DSL line coming from another company that we do business with. The address space is 172.16.1.0 / 24. Is there any way I can connect this private DSL router to the DMZ interface and have computers on the other side of the DSL line connect to a few of my servers on the inside? I would like the DSL clients (172.16.1.0 / 24) to have access to a couple of my servers (192.168.10.21 and .22 for example.)

Please let me know what I need to do.
0
Comment
Question by:eggster34
  • 5
  • 2
  • 2
9 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17140257
having clients on the dmz access clients on the inside is easy
the biggest problem you have is having some sort of router in place on the dmz as the gateway stating that internet traffic goes to the new DSL line whereas the 192.168.10.0/24 traffic goes to the 515

Add these lines to your pix
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

then
clear xlate

That will allow the translations to happen between the two interfaces, however you still need to add an acl to the dmz interface to allow the actual traffic to pass
0
 

Author Comment

by:eggster34
ID: 17140903
oh. the dsl line does not have internet on it. it terminates on the remote end on another cisco router with a local ip address.
the dsl line on the dmz interface will only be used for connectivity between site A (this site) and site B (the remote end where the DSL terminates.)
in other words the dmz will only be for traffic between 192.168.10.x and 172.16.10.x hosts and nothing else. all internet activity is over the internet DSL which is connected to the outside interface of the pix..

based on this new information, are your suggestions above still valid?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17140977
umm, probably not.  do you mean your setup is like this

  Site A                                                                                                                                     Site B
  LAN                <---> PIX 515 <---> DSL <----> Internet <---> DSL <--->Router <--->  LAN
192.168.10.x                                                                                                                           172.16.10.x

If that is what you are trying to do, then what you want is a site to site VPN.  I know how to do it with PIX/ASA devices on 6.X and 7.X, but I've never done it on a router so can't help you there.  Let me know.  Also what does the NATing on the Site B side.  I can give you the config for Site A for the pix though
0
 

Author Comment

by:eggster34
ID: 17143087
that's a great suggestion but they don't want a site to site vpn.
I know it's very stupid but they only want a private DSL line between 2 sites. There's no internet in between.

it's like this.
DMZ interface:
Site A LAN <--> PIX 515 <--> Router / DSL Modem <--> Private DSL <--> Router / DSL Modem <--> Another Firewall <--> LAN
Outside interface:
Site A LAN <--> PIX 515 <--> DSL Modem <--> Internet DSL <--> Internet

I just want to have traffic between the inside network of 192.168.10.0 and the DMZ network of 172.16.10.0 where members of each network can reach each other as if the PIX is actually a router, routing packets back and forth between its inside and DMZ interfaces.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17143620
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.22 eq <service>

route dmz 172.16.1.0 255.255.255.0 <OtherEndOf the DSL>

These configurations will allow the 172.16.1.x network to access .21 and .22 hosts on your internal network. Now can you put the respective ip addresses the in the diagram you made above and post it ? The rest of the routing should be taken care by the 2 DSL routers

Hope that helps.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17146276
I will try this on Tuesday and let you know how it goes. Many thanks indeed.
0
 

Author Comment

by:eggster34
ID: 17146792
I couldn't wait until tuesday. let's think about my network as this:

PIX 515: inside interface: 192.168.10.1 dmz interface 172.16.10.1 outside interface: 212.26.4.x.

inside hosts see the pix as their default gateway and the pix does NAt for inside clients to reach the internet.

let's say I have a single laptop connected to the dmz interface where the laptop has the ip: 172.16.10.2
I have 2 hosts that I'd like to reach on the inside network, 192.168.10.21 and 10.22

How can I establish full access from the laptop to these internal hosts, and from these internal hosts to the laptop.
If you could tell me step by step, I'm sure I can figure out the rest.

many thanks again.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17147820
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.22 eq <service>

access-group DMZ_IN in interface DMZ

Try the above.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17150554
thanks. I'll let you know on Tuesday and I'm sure it will work.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now