topic Re: Problem using 2 outside interfaces in Network Security

Problem using 2 outside interfaces

davistw — Mon, 11 Mar 2019 12:58:36 GMT

I am trying to do is setup a pix with 2 outside interfaces (See Drawing 1). Below is the configuation.

--------------------

Building configuration...

: Saved

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet0 vlan16 logical

interface ethernet1 auto

interface ethernet1 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 inside_pc_vlan3 security99

nameif vlan16 outside_pc_vlan16 security1

/SNIP/

access-list 101 permit ip any any

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 192.168.5.0 255.255.255.0

access-list inside_pc_vlan3_access_in permit ip 192.168.6.0 255.255.254.0 any

/SNIP/

ip address outside 192.168.136.2 255.255.255.0

ip address inside 192.168.5.254 255.255.255.0

ip address inside_pc_vlan3 192.168.7.254 255.255.254.0

ip address outside_pc_vlan16 192.168.26.2 255.255.254.0

/SNIP/

global (outside) 1 192.168.136.20-192.168.136.245

global (outside) 1 interface

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0

/SNIP/

static (inside,inside_pc_vlan3) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 0 0

access-group 101 in interface outside

access-group inside_pc_vlan3_access_in in interface inside_pc_vlan3

route outside 0.0.0.0 0.0.0.0 192.168.136.1 1

/SNIP/

---------------------

When I try to connect from a PC on inside_pc_vlan3 to an external machine I get the following error:

%PIX-3-305006: portmap translation creation failed for tcp src inside_pc_vlan3:192.168.6.1/2802 dst outside:192.168.133.207/80

However, when I move inside_pc_vlan3's nat to the outside interface via

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Everthing works except it is using the wrong interface and wrong nat pool...

I think the error is in the routing because fromt the error it appears that the failure is on the "outside" interface but I don't know how to fix it.

Recommendations?

Re: Problem using 2 outside interfaces

Farrukh Haroon — Thu, 12 Jun 2008 19:42:03 GMT

This is the expected behavior, you are trying to reach "192.168.133.207", which is not directly connected (in your routing table). So the PIX assumes this has to go out the default route (going towards the "outside" interface). The nat statement for the inside_pc_vlan3 zone is:

nat (inside_pc_vlan3) 16 0.0.0.0 0.0.0.0 0 0

The PIX is looking for a corresponding global statement i.e.

global (outside) 16 XYZ

Since that is not there, it is complaining.

Also in your diagram you mentioned inside_pc_vlan3's IP on the PIX is "192.168.5.254" yet in the config it is "192.168.7.254" and lastly the traffic you are initiating is "192.168.6.0/24" so what is the real subnet my friend? .5 .6 or .7? 🙂 .5 it cannot be because that is the subnet for inside.

Regards

Farrukh

Re: Problem using 2 outside interfaces

davistw — Thu, 12 Jun 2008 19:57:01 GMT

Thanks for the reply...

Sorry I munged the drawing. The config is right. The interface address for vlan3 is 7.254 not 5.254...

I have a global that matches 16

global (outside_pc_vlan16) 16 192.168.26.20-192.168.27.245

Why would I have to define one for the outside interface?

What I want to do is NAT from inside_pc_vlan3 to outside_pc_vlan16.

Re: Problem using 2 outside interfaces

Farrukh Haroon — Thu, 12 Jun 2008 20:02:42 GMT

Because the route lookup is done *first* and then NAT kicks in.

Source = 192.168.6.0

Destination Lookup = 192.168.133.0/ 24 is reachable via where? "Outside"

Since the default gateway is pointing towards there.

So its looking for a global (outside) and NOT global (outside_pc_Vlan16)

Hope this helps

Regards

Farrukh

Re: Problem using 2 outside interfaces

davistw — Thu, 12 Jun 2008 20:02:56 GMT

Here is an updated drawing with the correct addresses...

Re: Problem using 2 outside interfaces

davistw — Thu, 12 Jun 2008 21:23:23 GMT

Ahh, that makes sense....

How do I fix it? What I need is a way to make the default route for the inside_pc_vlan3 interface to point to outside_vlan16 instead of outside. Is this doable?

Re: Problem using 2 outside interfaces

Farrukh Haroon — Fri, 13 Jun 2008 10:17:05 GMT

You cannot have two default routes on the Cisco firewall for two different interfaces. Or if you are looking to go out to specific subnets/destinations, you could add specific routes for those destinations pointing towards the second outside interface, like

route 192.168.133.0 255.255.255.0 outside_pc_vlan16

Why don't you use a common outside subnet for both inside subnets?

Regards

Farrukh

Re: Problem using 2 outside interfaces

davistw — Mon, 16 Jun 2008 12:57:10 GMT

Thanks that is what I thought. I am trying to roll from a legacy structure to a new subnet without a hard cutover.. I guess I will have to go to a single subnet infactruture....

Thanks again.

Re: Problem using 2 outside interfaces

Farrukh Haroon — Mon, 16 Jun 2008 13:54:52 GMT

No problems at all, glad I could help.

Regards

Farrukh

Re: Problem using 2 outside interfaces

davistw — Tue, 17 Jun 2008 20:10:17 GMT

Just thinking, would this implementation be a possibility if I upgraded to 7.X? Couldnt I setup 2 virtual firewalls and have each route accordingly?

Re: Problem using 2 outside interfaces

Farrukh Haroon — Wed, 18 Jun 2008 01:38:42 GMT

Yes you can. I was thinking of suggesting this, but you even want communication between the two insides....that will make the setup a little complex.

Regards

Farrukh

Re: Problem using 2 outside interfaces

davistw — Wed, 25 Jun 2008 12:00:20 GMT

Cool, I am going to do some research in this direction. Thanks...

Re: Problem using 2 outside interfaces

a.alekseev — Wed, 25 Jun 2008 15:46:30 GMT

with contexts you will lose all VPN functionality

Re: Problem using 2 outside interfaces

Farrukh Haroon — Wed, 25 Jun 2008 15:56:49 GMT

Yes that is true. Also there will be no more dynamic routing, QOS etc.

Regards

Farrukh

Re: Problem using 2 outside interfaces

davistw — Wed, 25 Jun 2008 18:53:22 GMT

That is ok I am not nor will I be using vpn or dynamic routing...

Re: Problem using 2 outside interfaces

davistw — Wed, 25 Jun 2008 19:02:50 GMT

Thanks...