01-10-2003 08:47 AM - edited 03-09-2019 01:38 AM
Ok I think it's how I have the network setup but I am not sure how to get around this problem.
we have two machines
192.168.0.5 and 61
192.168.0.61 is the proxy and can get out to the internet
we want all web traffic to go through this for reporting purposes.
the proxy has a router setting as 192.168.0.213 which is the pix.
the web server - 192.168.0.5 (also our exchagne server) has a router settig as 192.168.0.1 - so the wan users can access it but can't get to the internet unless it uses the proxy.
i did the debug and I can see the inbound - outside ->207.1.1.45->192.168.0.5 but i don't see the outbound traffic.
if i ping the proxy's outside address it works.
why isn't this setup working? if the original request looks like it came from the pix which is on the same subnet , shouldn't it return the reply to the pix and the pix knows what to do with it?
please put me straight :)
thanks
Jenn
01-10-2003 11:32 AM
Jenn,
1) Does the pix has an access-list to permit 192.168.0.5 to go to the internet?
2) The pix doesn't act as a router. A packet cannot be redirect on the same interface it came from. The packet will be simply dropped by the PIX.
Hope this help
Michael
01-10-2003 12:19 PM
yes but i found out the problem is on the web server - since there isn't a route for internet traffic it drops it. I asked about adding a route but they (the powers to be) may not want to do that.
i have 6 interfaces installed on this pix system. i have two nics in my web. can i configure one of the interfaces to work in this situation?
01-10-2003 12:59 PM
I don't understand why your lan/wan manager may not want to make a route to your PIX. What's there point ? This is an efficient solution.
I'd prefer add a route than trying to fool with a second IP address on a server.
Install 2 nic's (1 inside and 1 in DMZ) is not a best practice in security. Why can't you install your WEB server in a DMZ. This is the place where it belongs. Use a switch to plug your server to your pix. If you don't have one I'm not sure but you may have to use a cross-over cable.
But to answer your question, yes it can be done.
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide