cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
387
Views
0
Helpful
6
Replies

two "public" interfaces

garyprice
Level 1
Level 1

I am forced to try and configure a pix 525 ver6.3 (7 interaces) to have two "outside" interfaces. We have configured using the standard "outside" interface to handle all traffic(source is internet)inbound to the "outside" interface on the firewall.

We still need another interface to handle inbound traffic from an internal network environment that, as of this time, looks far to vast to define using static translations. Has anybody been presented with the setup before? Would you use ranges or groups to handle the very large number of networks involved? many class B's and many class C ranges? To my horror it looks like 400 to 500 entries....I just can't do that..............Will nat0 and routing solve this issue?

6 Replies 6

jmia
Level 7
Level 7

Hi Gary,

You have got a task on your hand eh? well here's a starting point for you -

Lots of examples and TAC notes :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html

l.mourits
Level 5
Level 5

Hi,

How about changing the securitylevel for the interface named outside to let's say 99 and set the securitylevel for the other "outside" interface also to 99? Put statics for every inside network/host which you want te be reachable from the "outside" interfaces en put nat 0 commands on both "outside" interfaces if you want to them to be able to reach each other.

It is just a thought.

Kind Regards,

Leo

Having 2 ints with the same security level is an unsupported configuration - whether it works or not, Cisco TAC can tell you to get lost, regardless of your problem

Well this is what was tested this morning. From the PDM you can not make two interfaces security level 0. Tried to make the "outside" and the "other outside" security level 0. The PDM gives and error messages. "only outside interface can have security level 0."

Well if you go to the cli and issue the commands to set each interface to "security level 0" you do not recieve any error messages. When you get the policy using the PDM it reads it. When you push a policy with a change in it the policy is installed.

In testing the through put from a real "inside interface" to each "outside interface" traffic flows to each respective "outside interface" according to the policy that is installed.

securitylevel 0 is indeed reserved for the interface named outside, but you can configure two interfaces with same securitylevel (this is supported, even with TAC)

Default behaviour with two interfaces with the same securitylevel is that no traffic from one to another is allowed. Setting the right translation commands and ACL's will make this possible though.

So, in you case, you could do something like:

nameif ethernet0 outside1 security1

nameif ethernet1 inside security100

nameif ethernet2 outside2 security1

This is supported via CLI as well as via PDM and you will be fine.

Kind Regards,

Leo

What we ended up doing is having the outside int security 0 and the second outside security 1. I setup a nat 0 acl for traffic on the second int and all works well now. The TAC gave this config their stamp of approval.

Thanks for all the recomendations and help