Re: Configuring Pix behind a Pix - Page 2

smbtest12 · ‎02-27-2009

Hi

We have one Pix sitting as f/w for our servers. I now want to configure another pix, whose outside interface is on the same subnet as the inside interface of the first Pix. The second Pix will be infront of our LAN, so you can consider the servers to be in a DMZ. the outside Pix is working fine, so i dont really want to touch that too much.

I have setup the second Pix pretty much the same as the first, however, I cannot seem to ping between dmz and LAN. With the same setup on the first pix, i can ping between the internet and dmz.

The only difference is, that the outside Pix has Natting, and i want to avoid it on the inside one, although if it is needed, then that is fine.

Internet --- Pix1 ---- Servers --- Pix2 ---- LAN

Any ideas of where i should look first ?

Thank you in advance.

Reagrds

Ali

Jon Marshall · ‎03-03-2009

Ali

Okay i see where i went wrong. I forgot that what we are calling the DMZ is not actually another interface on inside pix but still the outside interface. So when i asked you to add that other NAT statement that would indeed have created confusion. Apologies for that.

The reason i suspect that just adding my statement didn't work is because the outside pix does not how to route back to 192.168.5.0/24. So you could either

1) remove your existing nat & global statements, add the following

static (inside,outside) 192.168.5.0 192.168.5.0 255.255.255.0

and make sure that the outside pix has a route back to the 192.168.5.0/24 network via the outside interface of the inside pix

OR

we could try policy NAT ie.

access-list inside_to_dmz permit ip 192.168.5.0 255.255.255.0 192.168.105.0 255.255.255.0

** static (inside,outside) 192.168.5.0 access-list inside_to_dmz

** Note - i don't have a pix/ASA to test on. The above syntax is not quite right - it could be

static (inside,outside) 192.168.5.0 255.255.255.0 access-list inside_to_dmz

or it might be some other combination. Apologies for being vague but i haven't confugured this in a while and i've forgotten the exact syntax.

Jon

smbtest12 · ‎03-03-2009

Jon

Thanks, i tried both methods, but wasnt successful with either. I am attaching the pix config for Pix1. (19x.yyy.zzz is a public IP range)

Which interface does the Static Route from Pix1 to 192.168.5.0/24 come from, is it inside or outside ? It is a little confusing, because in this case, the traffic from Pix1 travels on the inside of the f/w to Pix2 through the Outside interface of Pix2, but doesnt necessarily go through the inside interface of Pix1, am i right in thinking this is so ?

So i tried both methods and wasnt successful, however the Packet tracer seems to show that there is communication between both 192.168.5.0/24 and 192.168.105.0/24, i have tried different ports and different protocols.

Thanks for your help

Jon Marshall · ‎03-03-2009

Ali

The key parts of the config are -

1) Your Natting

global (outside) 1 interface

global (outside) 3 19x.yyy.zzz.9 netmask 255.255.255.255

global (inside) 1 interface

static NATTING here between inside and outside for all hosts on 1-2-1

Apart from the fact you have global statements with no corresponding nat statements there is no natting for the 192.168.5.0/24 IP addresses. The easiest way to fix this is

nat (inside) 4 192.168.5.0 255.255.255.0

global (outside) 4 interface

HOWEVER - because i can't make much sense of your NAT config on this firewall you need to be very careful. I can't guarantee it won't break anything. What you do need to do is ensure that 192.168.5.x addresses are translated to public IP(s).

Is there a chance some of the NAT config is missing ?

Also the 1-2-1 NAT's, are these all for 192.168.105.x servers ?

2) Routing -

route outside 192.168.5.0 255.255.255.0 192.168.105.9 2

This route should read -

route inside 192.168.5.0 255.255.255.0 192.168.105.9 2

Jon

smbtest12 · ‎03-09-2009

Hi Jon

Sorry its been a few days, i had taken time off. Just to let you know, that I managed to get it working thanks to your help throughout.

Essentially what i did, was to use the points you gave me in your replies, and created double-natting, so the same way i got the servers in the DMZ talking to the outside, i got the LAN hosts talking to the outside, albeit using static IPs, double natting them all the way to the internet

I would just like to say that i am really glad i bumped into you on this forum as you have really helped me out. I am by no means an expert and your help has really been appreciated.

Many thanks

Regards

Ali

Jon Marshall · ‎03-09-2009

Ali

Glad you got it working and glad to have been of help.

Jon