Re: Two PIXs end to end

badih_abifadel · ‎07-01-2003

Hello

I have two PIXs (PIXA and PIXB) attached end to end each with 6 ethernet interface.

on PIX A

ethernet (outside) connected to the internet on PIX A security level 0. ip add: 192.168.1.1

ethernet 4 (pixzone) on PIX A connected to PIX B security level 60 ip add: 192.168.4.1

on PIX B

ethernet 4 (pixzone) on PIX B connected to PIX A security level 60 ip add: 192.168.4.2

ethernet (inside) connected to secure LAN security level 100 on PIX B. ip add 192.168.100.1

I have connected to PIX B a server ip add: 192.168.100.100

I need to access this server from the internet can you please advice

Regards

l.mourits · ‎07-01-2003

Ok, let's see if we can help you out.

(bytheway, I don't see why you're using two PIX's, but I guesss you use one of the other interfaces on PIX A for hosting or something)

You didn't provide the global outside address which you wanted to use, so, I will put in where you shoul fill in this gap.

I will assume you want the server to be reachable from Internet using HTTP (TCP port 80). If more protocols needed, you can simply add the appropiate access-list statements to the same outside-in access-list.

PIX A

static (pixzone, outside) 192.168.100.100 netmask

255.255.255.255

route pixzone 192.168.100.0 255.255.255.0 192.168.4.2

route outside 0.0.0.0 0.0.0.0

access-list outside-in permit tcp any host eq 80

access-group outside-in in interface outside

PIX B

static (inside, pixzone) 192.168.100.100 192.168.100.100 netmask

255.255.255.255

*remember that the address is allready translated as it arrives at PIX B*

route pixzone 0.0.0.0 0.0.0.0

access-list pixzone-in permit tcp any host 192.168.100.100 eq 80

access-group pixzone in interface pixzone

Off course this is not all, but the rest will depend on other things needed, like dynamic routing, ip verify (to prevent spoofing), how the rest of your design is, et cetera, but I hope this helps.

Regards,

Leo