Solved

Routing traffic between 2 interfaces on PIX 515 E.

Posted on 2006-07-19
9
887 Views
Last Modified: 2013-11-16
Hello
I have a PIX 515 E with 3 interfaces. outside , inside , DMZ.
the outside interface has a public ip address and is connected to a dsl router.
the inside interface is where all of my clients and servers have configured as the default gateway. The address space is 192.168.10.0 / 24
the DMZ interface is not being used at the moment.
I have a private DSL line coming from another company that we do business with. The address space is 172.16.1.0 / 24. Is there any way I can connect this private DSL router to the DMZ interface and have computers on the other side of the DSL line connect to a few of my servers on the inside? I would like the DSL clients (172.16.1.0 / 24) to have access to a couple of my servers (192.168.10.21 and .22 for example.)

Please let me know what I need to do.
0
Comment
Question by:eggster34
  • 5
  • 2
  • 2
9 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17140257
having clients on the dmz access clients on the inside is easy
the biggest problem you have is having some sort of router in place on the dmz as the gateway stating that internet traffic goes to the new DSL line whereas the 192.168.10.0/24 traffic goes to the 515

Add these lines to your pix
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

then
clear xlate

That will allow the translations to happen between the two interfaces, however you still need to add an acl to the dmz interface to allow the actual traffic to pass
0
 

Author Comment

by:eggster34
ID: 17140903
oh. the dsl line does not have internet on it. it terminates on the remote end on another cisco router with a local ip address.
the dsl line on the dmz interface will only be used for connectivity between site A (this site) and site B (the remote end where the DSL terminates.)
in other words the dmz will only be for traffic between 192.168.10.x and 172.16.10.x hosts and nothing else. all internet activity is over the internet DSL which is connected to the outside interface of the pix..

based on this new information, are your suggestions above still valid?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17140977
umm, probably not.  do you mean your setup is like this

  Site A                                                                                                                                     Site B
  LAN                <---> PIX 515 <---> DSL <----> Internet <---> DSL <--->Router <--->  LAN
192.168.10.x                                                                                                                           172.16.10.x

If that is what you are trying to do, then what you want is a site to site VPN.  I know how to do it with PIX/ASA devices on 6.X and 7.X, but I've never done it on a router so can't help you there.  Let me know.  Also what does the NATing on the Site B side.  I can give you the config for Site A for the pix though
0
 

Author Comment

by:eggster34
ID: 17143087
that's a great suggestion but they don't want a site to site vpn.
I know it's very stupid but they only want a private DSL line between 2 sites. There's no internet in between.

it's like this.
DMZ interface:
Site A LAN <--> PIX 515 <--> Router / DSL Modem <--> Private DSL <--> Router / DSL Modem <--> Another Firewall <--> LAN
Outside interface:
Site A LAN <--> PIX 515 <--> DSL Modem <--> Internet DSL <--> Internet

I just want to have traffic between the inside network of 192.168.10.0 and the DMZ network of 172.16.10.0 where members of each network can reach each other as if the PIX is actually a router, routing packets back and forth between its inside and DMZ interfaces.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17143620
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.1.0 255.255.255.0 host 192.168.10.22 eq <service>

route dmz 172.16.1.0 255.255.255.0 <OtherEndOf the DSL>

These configurations will allow the 172.16.1.x network to access .21 and .22 hosts on your internal network. Now can you put the respective ip addresses the in the diagram you made above and post it ? The rest of the routing should be taken care by the 2 DSL routers

Hope that helps.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17146276
I will try this on Tuesday and let you know how it goes. Many thanks indeed.
0
 

Author Comment

by:eggster34
ID: 17146792
I couldn't wait until tuesday. let's think about my network as this:

PIX 515: inside interface: 192.168.10.1 dmz interface 172.16.10.1 outside interface: 212.26.4.x.

inside hosts see the pix as their default gateway and the pix does NAt for inside clients to reach the internet.

let's say I have a single laptop connected to the dmz interface where the laptop has the ip: 172.16.10.2
I have 2 hosts that I'd like to reach on the inside network, 192.168.10.21 and 10.22

How can I establish full access from the laptop to these internal hosts, and from these internal hosts to the laptop.
If you could tell me step by step, I'm sure I can figure out the rest.

many thanks again.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17147820
static (inside,dmz) 192.168.10.21 192.168.10.21 netmask 255.255.255.255
static (inside,dmz) 192.168.10.22 192.168.10.22 netmask 255.255.255.255


access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.21 eq <service>
access-list DMZ_IN permit ip 172.16.10.2 255.255.255.0 host 192.168.10.22 eq <service>

access-group DMZ_IN in interface DMZ

Try the above.

Cheers,
Rajesh
0
 

Author Comment

by:eggster34
ID: 17150554
thanks. I'll let you know on Tuesday and I'm sure it will work.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now