topic Re: pix with two different network in Network Security

pix with two different network

khandakartuhin — Fri, 21 Feb 2020 08:21:33 GMT

i am new in pix, i need to know is it possiable to configure PIX with complitely two different network IP.

exp. i have two internet connection have IP 100.100.100.10 and 200.200.200.20

my local network user IP network is 172.16.1.0. Pls give me a clue.

Re: pix with two different network

mehrdad — Tue, 30 Aug 2005 14:13:07 GMT

you can't define secondary address to an interface

Re: pix with two different network

mehrdad — Tue, 30 Aug 2005 15:02:47 GMT

You should connect each provider to specify zone then use them, unfortunately there isn't any load balance at the PIX so you should balance your inside internet usage traffic through NAT, it means NAT half of your network through provider1 and rest of network by provider2

for example :

nameif ethernet0 outside security0

nameif ethernet2 outside2 security5

nameif ethernet1 inside security100

ip address outside 100.100.100.10 255.255.255.0

ip address outside2 200.200.200.20 255.255.255.0

ip address inside 172.16.1.1 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.128

nat (inside) 2 172.16.1.128 255.255.255.128

global (outside) 1 interface

global (outside2) 1 interface

Regards,

Mehrdad

Re: pix with two different network

pwicks — Tue, 30 Aug 2005 16:15:08 GMT

When you say you have two Internet connections, do you mean:

1. You have two separate network connections with one IP address each or;

2. You have one network connection with two IP addresses?

Each situation has a different solution.

Solution 1: If you have two separate network connections with one IP address each, you most likey have a Pix 515 or above. Just assign each interface its own IP:

ip address outside 100.100.100.10 255.255.255.0

ip address inside 172.16.1.1 255.255.255.0

ip address dmz 200.200.200.20 255.255.255.0

Solution 2: If you have one network connection with two IP addresses, you set the first address to the outside interface and create a static translation for the second address:

ip address outside 100.100.100.10 255.255.255.0

ip address inside 172.16.1.1 255.255.255.0

static (inside,outside) 200.200.200.20 172.16.1.20 netmask 255.255.255.0 0 0

Please let me know if this information helps.

Re: pix with two different network

khandakartuhin — Sun, 04 Sep 2005 03:20:01 GMT

Thanks,

is there any problem broadcust, multicust or igmp problem from one outside network to other outside network? i dont want any packet come and go from one outside to other outside.

Re: pix with two different network

mehrdad — Sun, 04 Sep 2005 08:07:29 GMT

first of all, i had miss type at last reply please correct it : global (outside2) 2 interface

in fact there isn't any facilities to implement source routing at pix software except version 7.x that i'm not sure, in order to specify the route that a packet should take through the network (for two default gateways from two ISPs) so if you have perimeter router at your network that is connected to ISPs we can implement your situation as below :

LAN---PIX---Router--{two connections ISP1 ISP2}

PIX :

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside 192.168.100.1 255.255.255.252

ip address inside 172.16.1.1 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.128

nat (inside) 2 172.16.1.128 255.255.255.128

global (outside) 1 100.100.100.10 netmask 255.255.255.255

global (outside2) 2 200.200.200.20 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 192.168.100.2

Router :

interface FastEthernet0/0

description connected to PIX

ip address 192.168.100.2 255.255.255.252

ip policy route-map providers

access-list 130 permit ip host 100.100.100.10 any

access-list 131 permit ip host 200.200.200.20 any

route-map providers permit 130

match ip address 130

set ip next-hop ISP1

route-map providers permit 131

match ip address 131

set ip next-hop ISP2

ip router 100.100.100.10 255.255.255.255 192.168.100.1

ip router 200.200.200.20 255.255.255.255 192.168.100.1

In this scenario half of your network go through one ISP (send/receive from same ISP) and rest of the network from another ISP.

hope this help

Regards,

Mehrdad Arshad Rad

Re: pix with two different network

khandakartuhin — Mon, 05 Sep 2005 11:46:44 GMT

Thanks to all for ur soluation,

actually i am not clear of my quistion, sorry for that.

what i really want,

two different internet configured in one pix firewall. (four eth port)

all local user have no access to internet. i don't need any DMZ.

only three static entry is mail, www and proxy.

users only access to this three server.

"Both internet must not communicate or send any packet to each other"

So, Possiable?

Re: pix with two different network

blyap20 — Wed, 07 Sep 2005 04:32:25 GMT

Sorry, Just curious.. Is there a posibility if we connected to two ISPs, an auto failover can be done if you have configured a static load balance?

Re: pix with two different network

khandakartuhin — Wed, 07 Sep 2005 10:45:11 GMT

Thanks to all for ur soluation,

actually i am not clear of my quistion, sorry for that.

what i really want,

two different internet configured in one pix firewall. (four eth port)

all local user have no access to internet. i don't need any DMZ.

only three static entry is mail, www and proxy.

users only access to this three server.

"Both internet must not communicate or send any packet to each other"

So, Possiable?

And Do anybody know how to start a new conversation....?

Re: pix with two different network

khandakartuhin — Wed, 07 Sep 2005 11:08:39 GMT

Thanks to all for ur soluation,

actually i am not clear of my quistion, sorry for that.

what i really want,

two different internet configured in one pix firewall. (four eth port)

all local user have no access to internet. i don't need any DMZ.

only three static entry is mail, www and proxy.

users only access to this three server.

"Both internet must not communicate or send any packet to each other"

So, Possiable with VLAN?

And Do anybody know how to start a new conversation....?