Yes exactly, that is the concern here.

This server is in pix's dmz. i want all internet user request for this server to enter through ASA-1 via ISP-1 , reach all the way to this server in DMZ. And follow the same path back while returning.

Internet ISP-1 -- ASA-1 -- router-- (WAN link)--router-- ASA-2 -- PIX(DMZ) ----ISP-2

let me know if query is not clearly put by me.

Ok, the question is...

Where's the default gateway of the devices?

For example, the default gateway of the PIX is ISP-2 correct?

If so, the defaut gateway of ASA-2 is the PIX or goes out via ISP-1?

If ASA2 goes out ISP-1, one option is to connect the DMZ server to a DMZ on the ASA and allow it to get out via ISP-2 as you intend.

Federico.

Hi Thomas,

can you provide some details from your side to help you better?

1. you are using ASA at one side and PIX at other side, can you use either of them ( all ASA or all PIX)

2. you have connected ISP2 with PIX DMZ but in general practise, internet is connected with outside interface of security device which is having security level 0, why you have connected like this?

-- Jigar

Thanks Federico,

Internet ISP-1 -- ASA-1 -- router-- (WAN link)--router-- ASA-2 -- PIX(DMZ) ----ISP-2

Yes, gateway for PIX is ISP-2 & gateway for ASA-2 is PIX, so currently ASA-2 default path can only go out via ISP-2.

apologies , it seems my post ain't clear & causing confusions. I will elaborate more with few ip's.

server A (192.168.100.10) is located at DMZ of PIX.

ASA-1 segment is 192.168.200.xx

I want traffic for server A ( 192.168.100.10 ) to enter via ISP-1 , reach to DMZ in PIX & return back to the original public source via ISP-1.

below are some lines which i'll be putting on for partial achievement of this:

re-registering the server A with domain corresponding to ISP-1 public ip's.

static nat on ASA-1 for 192.168.100.10, route to allow it towards dmz.

route on pix to reach 192.168.200.xx address on ASA-1.

I am looking to get requests for Server A to enter through ISP-1, ASA-1 & response from server A for same public flow to be out back via ISP-1.

Hope this gives more clarity.

Thank you.

Jigar,

dmz connection was only a diagram view, pix outside goes to internet.

Hi,

Internet ISP-1 -- ASA-1 -- router-- (WAN link)--router-- ASA-2 --  PIX(DMZ) ----ISP-2

Theoretically, it is possible to achive the above by NATing the users to the inside IP address of ASA1 (192.168.200.xx). So you will basically need config like below on ASA1:

access-list TEST permit ip any

nat (outside) 2 TEST outside

global (inside) 1 interface

So if you configure the routing as you mentioned (appropriate routing on PIX to reach 192.168.200.xx), the return packets hould be forwarded to ASA1. You can replace the "interface" keyword with a free IP in the 192.168.200.xx segment as well.

One problem we might run into here is all the internet users coming into the ASA1 accessing the SERVER are going to be PATed to an internal IP. It is possible that we might exhaust the PAT IP address if there are going to be a lot of clients connecting to the server in which case you will need a lot of IP address allocated for PAT.

Let me know if this is clear enough or if there are any questions.

Thanks and Regards,

Prapanch

Hi,

Thanks, but are the below lines for getting users coming from public internet to be natted to inside?

access-list TEST permit ip any 192.168.200.20

nat (outside) 2 TEST outside

global (inside) 1 192.168.200.20

i was thinking of putting a static statement for natting the public request to this server on asa-1. isnt that correct?

i appear to have not understood your good suggestion properly. Would help if detailed a bit, i'am confused a bit.

thanks.