Re: Add Second WAN link to PIX 515UR

bfpnetworking · ‎08-04-2011

Hi all...I have a PIX 515 with 6 interfaces.

My goal is NOT to have redundant ISPs. My initial goal is to provide a 2nd public IP address that can receive email in the event that my primary WAN link goes down.

So far, this is what I have.

interface ethernet5 auto
nameif ethernet5 outside2 security0
ip address outside2 64.xx.xx.xx 255.255.255.248
no failover ip address outside2
access-group 31 in interface outside2

access-list 31 permit tcp any host 64.xx.xx.xx eq smtp
static (inside,outside2) tcp 64.xx.xx.xx smtp 172.X.x.x smtp netmask 255.255.255.255 0 0

The static statement shouls nat my 2nd public IP to my internal mail gateway. I have the 2nd isp cable attached to the PIX and the PIX can ping the ip 64.x.x.x and its gateway...But telnetting using port 25 to the public ip address does not work.

Any ideas?

Jon Marshall · ‎08-04-2011

As far as i know unfortunately this won't work. The problem is that external traffic coming from the internet would indeed go to the mail server. But when the mail server sends it traffic back to the ASA the ASA looks up the route and sees a default-route to the primary ISP going out of the outside interface. It then looks for a static NAT command for the mail server but it would be looking for a static (inside,outside) ... command because the route points out of the outside interface.

But you actually want to go via the outside2 interface. But you have no route pointing out of that interface. And you can't simply add another default-route. Unless you know the mail servers that would connect to your mail server so you could add host specific routes to your firewall going via the outside2 interface it won't be achievable.

You really need PBR because in effect you are trying to route the mail server traffic from your mail server based on source IP and unfortunately the ASA firewalls do not support PBR.

Jon