08-08-2003 05:55 AM - edited 03-09-2019 04:21 AM
I am forced to try and configure a pix 525 ver6.3 (7 interaces) to have two "outside" interfaces. We have configured using the standard "outside" interface to handle all traffic(source is internet)inbound to the "outside" interface on the firewall.
We still need another interface to handle inbound traffic from an internal network environment that, as of this time, looks far to vast to define using static translations. Has anybody been presented with the setup before? Would you use ranges or groups to handle the very large number of networks involved? many class B's and many class C ranges? To my horror it looks like 400 to 500 entries....I just can't do that..............Will nat0 and routing solve this issue?
08-08-2003 06:15 AM
Hi Gary,
You have got a task on your hand eh? well here's a starting point for you -
Lots of examples and TAC notes :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html
08-10-2003 11:51 PM
Hi,
How about changing the securitylevel for the interface named outside to let's say 99 and set the securitylevel for the other "outside" interface also to 99? Put statics for every inside network/host which you want te be reachable from the "outside" interfaces en put nat 0 commands on both "outside" interfaces if you want to them to be able to reach each other.
It is just a thought.
Kind Regards,
Leo
08-11-2003 04:02 AM
Having 2 ints with the same security level is an unsupported configuration - whether it works or not, Cisco TAC can tell you to get lost, regardless of your problem
08-11-2003 05:32 AM
Well this is what was tested this morning. From the PDM you can not make two interfaces security level 0. Tried to make the "outside" and the "other outside" security level 0. The PDM gives and error messages. "only outside interface can have security level 0."
Well if you go to the cli and issue the commands to set each interface to "security level 0" you do not recieve any error messages. When you get the policy using the PDM it reads it. When you push a policy with a change in it the policy is installed.
In testing the through put from a real "inside interface" to each "outside interface" traffic flows to each respective "outside interface" according to the policy that is installed.
08-14-2003 02:50 AM
securitylevel 0 is indeed reserved for the interface named outside, but you can configure two interfaces with same securitylevel (this is supported, even with TAC)
Default behaviour with two interfaces with the same securitylevel is that no traffic from one to another is allowed. Setting the right translation commands and ACL's will make this possible though.
So, in you case, you could do something like:
nameif ethernet0 outside1 security1
nameif ethernet1 inside security100
nameif ethernet2 outside2 security1
This is supported via CLI as well as via PDM and you will be fine.
Kind Regards,
Leo
08-14-2003 09:35 AM
What we ended up doing is having the outside int security 0 and the second outside security 1. I setup a nat 0 acl for traffic on the second int and all works well now. The TAC gave this config their stamp of approval.
Thanks for all the recomendations and help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide