hello,

we have one PIX 535 6.2(2), one DMZ, one ISP and one internal network.

And we have a new requierement: to create a new DMZ and to permit acces to this DMZ through a new ISP that will be attached to "other" external interface of the PIX. So, the final diagram will look like this:

outside interface 1 --> ISP1

outside interface 2 --> ISP2

inside interface --> inside network

dmz interface 1 -- > DMZ network 1

dmz interface 2 -- > DMZ network 2

We have had problems making this configuration to work.

the pix can't ping past the directly attached interface of the router of the ISP2.

we haven't tried to "static" any server in this new DMZ because we can't even make icmp packets pass the router of the second ISP.

We attached a temporarly firewall (a microsoft ISA server) between this new DMZ and this new ISP and it worked well, so any problem in the router of the ISP2 is discarded... but this solution is temporary and we would like to use the pix for this.

this is the configuration:

: Saved

:

PIX Version 6.2(2)

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif gb-ethernet2 Failover_fw security55

nameif ethernet0 dmz1 security50

nameif ethernet1 dmz2 security30

nameif ethernet2 outside2 security25

names

object-group network SERVERS(noaptos)

network-object host 216.15.255.131

object-group network COMPAS

network-object host 11.254.13.59

object-group network SECODAM

network-object host 200.34.175.249

object-group service APS-SECODAM tcp-udp

port-object eq 80

port-object eq 433

port-object eq 9001

port-object eq 9002

access-list IN deny udp any any eq netbios-ns

access-list IN permit ip any 71.10.23.0 255.255.255.0

access-list IN permit tcp any object-group SECODAM object-group APS-SECODAM

access-list IN permit ip object-group COMPAS any

access-list IN deny ip any object-group XXXSERVERS

access-list IN deny tcp any any eq 1863

access-list IN permit ip host 11.254.14.42 192.168.100.0 255.255.255.0

access-list IN permit tcp any any eq 9090

access-list IN permit tcp any any range 8000 8100

access-list IN permit tcp host 11.254.12.234 any eq smtp

access-list IN deny tcp any any eq smtp

access-list IN permit tcp any any eq 3389

access-list no_nat permit ip any 192.168.100.0 255.255.255.0

access-list OUT permit tcp any host 200.XX.XX.4 eq www

access-list OUT permit tcp any host 200.XX.XX.4 eq https

access-list OUT permit tcp any host 200.XX.XX.6 eq www

access-list OUT permit tcp any host 200.XX.XX.7 eq www

access-list OUT permit tcp any host 200.XX.XX.8 eq www

access-list OUT permit tcp any host 200.XX.XX.9 eq smtp

access-list OUT permit tcp any host 200.XX.XX.10 eq 8080

access-list OUT permit tcp any host 200.XX.XX.10 eq www

access-list OUT permit tcp any host 200.XX.XX.11 eq www

access-list OUT permit tcp any host 200.XX.XX.12 eq www

access-list OUT permit tcp any host 200.XX.XX.12 eq 5100

access-list OUT permit tcp any host 200.XX.XX.20 eq domain

access-list OUT permit udp any host 200.XX.XX.20 eq domain

access-list OUT permit icmp any any

access-list DMZ permit tcp any host 11.254.12.21 eq domain

access-list DMZ permit udp any host 11.254.12.21 eq domain

access-list DMZ permit ip any host 11.254.12.36

access-list DMZ permit tcp host 71.10.23.10 11.0.0.0 255.0.0.0 eq 1525

access-list DMZ permit tcp host 71.10.23.34 host 11.254.12.234 eq smtp

access-list OUT2 permit icmp any any

interface gb-ethernet0 1000auto

interface gb-ethernet1 1000auto

interface gb-ethernet2 1000auto

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu Failover_fw 1500

mtu dmz 1500

mtu secodam_inside 1500

mtu secodam_outside 1500

ip address outside 200.XX.XX.15 255.255.255.0

ip address inside 11.254.12.67 255.255.255.0

ip address Failover_fw 72.10.24.30 255.255.255.0

ip address dmz 71.10.23.99 255.255.255.0

ip address dmz2 11.254.14.241 255.255.255.0

ip address outside2 207.YY.YY.1 255.255.255.0

ip local pool pptp-pool 192.168.100.1-192.168.100.5

arp timeout 14400

global (outside) 1 200.XX.XX.21-200.XX.XX.27

global (outside2) 2 207.YY.YY.2

nat (inside) 0 access-list no_nat

nat (inside) 2 11.254.14.20 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (dmz) 71.10.23.34 200.34.143.10 255.255.255.255

static (dmz,outside) 200.XX.XX.6 71.10.23.11 netmask 255.255.255.255 0 0

static (dmz,outside) 200.XX.XX.7 71.10.23.25 netmask 255.255.255.255 0 0

static (dmz,outside) 200.XX.XX.8 71.10.23.13 netmask 255.255.255.255 0 0

static (dmz,outside) 200.XX.XX.12 71.10.23.35 netmask 255.255.255.255 0 0

access-group OUT in interface outside

access-group IN in interface inside

access-group DMZ in interface dmz

access-group OUT2 in interface outside2

route outside 0.0.0.0 0.0.0.0 200.34.143.254 1

route inside 10.0.0.0 255.0.0.0 11.254.12.254 1

route inside 11.0.0.0 255.0.0.0 11.254.12.254 1

: end

any clues? is ths configuration even possible?

thank you in davance!