Hi Daniel,
This is a tough one to sort out. Comments inline.
At 01:14 PM 04/26/2000 +0100, Daniel Crichton wrote:
>We have 2 ISP connections to our PIX 515UR coming in on
>2 interfaces, another interface is our "dmz", and the
>fourth is our "inside". I'm having trouble trying to
>configure the PIX to have 1 server in the "dmz" answer
>to connections from 1 ISP connection, and all other
>servers answer on the other ISP connection. I have a
>nasty feeling I may have to get another NIC and run a
>second "dmz", or even get another PIX :(
>
>Does anyone know if this is possible?
>
>
>I have set up the following configuration:
>
>nameif ethernet0 isp2 security0
>nameif ethernet1 inside security100
>nameif ethernet2 dmz security50
>nameif ethernet3 isp2 security10
>
>nat (inside) 1 0
>nat (dmz) 2 y.y.y.5 255.255.255.255
>nat (dmz) 1 0
>
>global (isp1) 1 x.x.x.100
>global (dmz) 1 y.y.y.100
>global (isp2) 2 z.z.z.100
Let me regroup these to make sense:
global (isp1) 1 x.x.x.100
global (dmz) 1 y.y.y.100
nat (dmz) 1 0
nat (inside) 1 0
So anyone sourced from your DMZ or INSIDE will use x.x.x.100 or y.y.y.100 for
translation, depending if they are Internet bound or DMZ bound.
global (isp2) 2 z.z.z.100
nat (dmz) 2 y.y.y.5 255.255.255.255
The dmz host y.y.y.5 should map to z.z.z.100 - but this is a singular dynamic
translation, which is not typical. You should be using a static for this.
>static (dmz,isp1) x.x.x.1 y.y.y.1
>static (dmz,isp1) x.x.x.2 y.y.y.2
>static (dmz,isp1) x.x.x.3 y.y.y.3
>static (dmz,isp1) x.x.x.4 y.y.y.4
>static (dmz,isp2) z.z.z.1 y.y.y.5
This last statement is going to cause a bit of confusion, as this is in conflict with
the above dynamic pools. But statics should take precedence over the global pool.
>conduit permit tcp host x.x.x.1 eq www any
>conduit permit tcp host x.x.x.2 eq www any
>conduit permit tcp host x.x.x.3 eq www any
>conduit permit tcp host x.x.x.4 eq www any
>conduit permit tcp host z.z.z.1 eq www any
>
>conduit permit icmp any any
>:above line for testing only
>
>route isp1 0 0 x.x.x.254
>route isp2 0 0 z.z.z.254
PIX cannot use two default routes. If the version you are using let's you enter it
into the parser, it is not going to be a valid configuration. This is where things
are failing I suspect. If you can set up an outside router to handle the forwarding
between your two ISP's you'll be better off.
>where x.x.x.0 are my isp1 network addresses, y.y.y.0 is
>my dmz private addressing, and z.z.z.0 are my isp2
>network addresses.
>
>
>If I try to access the servers x.x.x.? from the
>internet everything is fine, and if I try to start
>connections from the servers x.x.x.? everything is OK -
>they use the ISP1 router.
>
>If I try to connect to z.z.z.1 from the inside
>everything works. If I try to ping or connect to
>z.z.z.1 from the internet it doesn't work. If I try to
>tracert from z.z.z.1 to a host on the internet I get
>the following error in the log:
>
>305006: regular translation creation failed for icmp
>src dmz:y.y.y.5 dst outside:207.46.130.149 (type 8,
>code 0)
>
>I guess that incoming connections to the server on port
>80 fail because the server is unable to send packets
>back to the requesting host.
>
>If I remove the nat (dmz) 2 y.y.y.5 255.255.255.255
>command the server can now perform a tracert, but it
>goes out through ISP1. Again a host connecting to port
>80 on this server fails because the return packets
>cannot be sent to the ISP1 router, and the PIX doesn't
>appear to pass them to the ISP2 router.
>
>Is it possible to configure the PIX so that servers in
>the dmz are mapped to specific routes? If not, is it
>possible for me to add another interface and have dmz1
>mapped to isp1 and dmz2 mapped to isp2? If the answer
>to both of these is no then it looks like I will have
>to put this 1 server on the outside of my firewall and
>do my best to harden it, or buy another firewall :(
>
>Please help, I'm at my wits end trying to sort this out.
I would strongly recommend you contact the Cisco Technical Assistance Center.
>Dan
>
>---
>D.C. Crichton email: [EMAIL PROTECTED]
>Senior Systems Analyst tel: +44 (0)121 706 6000
>Computer Manuals Ltd. fax: +44 (0)121 606 0477
>
>Computer book info on the web:
> http://computer-manuals.co.uk/
>Want to earn money? Join our affiliate scheme!
> http://computer-manuals.co.uk/affiliate/
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Thanks much,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
