05-01-2003 12:07 PM - edited 02-20-2020 10:43 PM
hello,
we have one PIX 535 6.2(2), one DMZ, one ISP and one internal network.
And we have a new requierement: to create a new DMZ and to permit acces to this DMZ through a new ISP that will be attached to "other" external interface of the PIX. So, the final diagram will look like this:
outside interface 1 --> ISP1
outside interface 2 --> ISP2
inside interface --> inside network
dmz interface 1 -- > DMZ network 1
dmz interface 2 -- > DMZ network 2
We have had problems making this configuration to work.
the pix can't ping past the directly attached interface of the router of the ISP2.
we haven't tried to "static" any server in this new DMZ because we can't even make icmp packets pass the router of the second ISP.
We attached a temporarly firewall (a microsoft ISA server) between this new DMZ and this new ISP and it worked well, so any problem in the router of the ISP2 is discarded... but this solution is temporary and we would like to use the pix for this.
this is the configuration:
: Saved
:
PIX Version 6.2(2)
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif gb-ethernet2 Failover_fw security55
nameif ethernet0 dmz1 security50
nameif ethernet1 dmz2 security30
nameif ethernet2 outside2 security25
names
object-group network SERVERS(noaptos)
network-object host 216.15.255.131
object-group network COMPAS
network-object host 11.254.13.59
object-group network SECODAM
network-object host 200.34.175.249
object-group service APS-SECODAM tcp-udp
port-object eq 80
port-object eq 433
port-object eq 9001
port-object eq 9002
access-list IN deny udp any any eq netbios-ns
access-list IN permit ip any 71.10.23.0 255.255.255.0
access-list IN permit tcp any object-group SECODAM object-group APS-SECODAM
access-list IN permit ip object-group COMPAS any
access-list IN deny ip any object-group XXXSERVERS
access-list IN deny tcp any any eq 1863
access-list IN permit ip host 11.254.14.42 192.168.100.0 255.255.255.0
access-list IN permit tcp any any eq 9090
access-list IN permit tcp any any range 8000 8100
access-list IN permit tcp host 11.254.12.234 any eq smtp
access-list IN deny tcp any any eq smtp
access-list IN permit tcp any any eq 3389
access-list no_nat permit ip any 192.168.100.0 255.255.255.0
access-list OUT permit tcp any host 200.XX.XX.4 eq www
access-list OUT permit tcp any host 200.XX.XX.4 eq https
access-list OUT permit tcp any host 200.XX.XX.6 eq www
access-list OUT permit tcp any host 200.XX.XX.7 eq www
access-list OUT permit tcp any host 200.XX.XX.8 eq www
access-list OUT permit tcp any host 200.XX.XX.9 eq smtp
access-list OUT permit tcp any host 200.XX.XX.10 eq 8080
access-list OUT permit tcp any host 200.XX.XX.10 eq www
access-list OUT permit tcp any host 200.XX.XX.11 eq www
access-list OUT permit tcp any host 200.XX.XX.12 eq www
access-list OUT permit tcp any host 200.XX.XX.12 eq 5100
access-list OUT permit tcp any host 200.XX.XX.20 eq domain
access-list OUT permit udp any host 200.XX.XX.20 eq domain
access-list OUT permit icmp any any
access-list DMZ permit tcp any host 11.254.12.21 eq domain
access-list DMZ permit udp any host 11.254.12.21 eq domain
access-list DMZ permit ip any host 11.254.12.36
access-list DMZ permit tcp host 71.10.23.10 11.0.0.0 255.0.0.0 eq 1525
access-list DMZ permit tcp host 71.10.23.34 host 11.254.12.234 eq smtp
access-list OUT2 permit icmp any any
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface gb-ethernet2 1000auto
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu Failover_fw 1500
mtu dmz 1500
mtu secodam_inside 1500
mtu secodam_outside 1500
ip address outside 200.XX.XX.15 255.255.255.0
ip address inside 11.254.12.67 255.255.255.0
ip address Failover_fw 72.10.24.30 255.255.255.0
ip address dmz 71.10.23.99 255.255.255.0
ip address dmz2 11.254.14.241 255.255.255.0
ip address outside2 207.YY.YY.1 255.255.255.0
ip local pool pptp-pool 192.168.100.1-192.168.100.5
arp timeout 14400
global (outside) 1 200.XX.XX.21-200.XX.XX.27
global (outside2) 2 207.YY.YY.2
nat (inside) 0 access-list no_nat
nat (inside) 2 11.254.14.20 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (dmz) 71.10.23.34 200.34.143.10 255.255.255.255
static (dmz,outside) 200.XX.XX.6 71.10.23.11 netmask 255.255.255.255 0 0
static (dmz,outside) 200.XX.XX.7 71.10.23.25 netmask 255.255.255.255 0 0
static (dmz,outside) 200.XX.XX.8 71.10.23.13 netmask 255.255.255.255 0 0
static (dmz,outside) 200.XX.XX.12 71.10.23.35 netmask 255.255.255.255 0 0
access-group OUT in interface outside
access-group IN in interface inside
access-group DMZ in interface dmz
access-group OUT2 in interface outside2
route outside 0.0.0.0 0.0.0.0 200.34.143.254 1
route inside 10.0.0.0 255.0.0.0 11.254.12.254 1
route inside 11.0.0.0 255.0.0.0 11.254.12.254 1
: end
any clues? is ths configuration even possible?
thank you in davance!
05-01-2003 03:15 PM
Hi -
Ahh, if only it were that easy... The problem is the 'route outside 0.0.0.0 0.0.0.0'. Your PIX's default gateway is set to ISP A. If you could add a second default route on the PIX, you could set it to ISP B. Unfortunately, you can't do that.
What you might try is setting the route to the network that needs to get to your DMZ... For example, if Company B (at 7.7.7.7) is trying to get to your new DMZ, add a route like this: route outside2 7.7.7.0/24 207.YY.YY.2 (or whatever ISP B's router is)...
This might just do the trick...
05-01-2003 05:03 PM
As posted by the previous specialist, you cannot have 2 default gateways. This is for sure. Don't invest no more time to try this, it can't works. You should searche for another solution. As suggested by the previous answer, you can configure manually static route to reach some networks through the outside2 interface. If, it's not a feasible solution, you must try the last alternative, send all traffic through outside1 up to a single router, or dual with HSRP, who can manage both ISP connections.
Hope this help
Ben
05-01-2003 05:26 PM
PIX 6.3 support OSPF with equal cost load balancing, if you can make your ISP running OSPF to inject default route to your PIX, you may able to have two default route in PIX.
Or try send all destination traffic with odd network number to one ISP and the even network number to another ISP. Something like
route outside 0.0.1.0 0.0.1.0 x.x.x.x
route outside 0.0.0.0 0.0.1.0 x.x.x.x
I am not sure whether it will work or not as I haven't try it. Just my suggestion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide