Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

520: Two outside interfaces?

Status
Not open for further replies.
pixboy

pixboy

MIS
Nov 21, 2001
153
US
We have a PIX 520 with a total of 6 Ethernet interfaces. Currently, we're using four of the interfaces (outside, inside, dmz1, dmz2).

Here's where things get intersting. We have two different ISPs supplying us with a total of three lines (one frac T-3, two T-1s). The frac. T-3 is for a specific application, and we don't want to put other clients on that line. We have 5 different public IP blocks (1 for frac. T-3, and 4 for the T-1s). Both routers (one for T-3, one for both T-1s) are on the same physical network.

I can get the PIX to hold a static IP in one of the T-1 blocks for a server, but when the traffic tries to go back out, it tries to send it back the T-3, which causes "Deny tcp reverse path check from aa.bb.cc.dd to ee.ff.gg.hh on interface outside". It should be going out the interface I've named "outside2," which has an IP address in the same T-1 block as the aforementioned static IP.

This question has been asked before, but I can't seem to find appropriate answers. Can you have a PIX 520 that has TWO outside interfaces? And can you route traffic to/from one particular DMZ (say DMZ3) to/from a particular outside interface (say outside2)?

Thanks!

Dan
 
Sort by date Sort by votes
Dan,

#1 No. You cannot have two outside interfaces.

#2 You can route traffic between any two interfaces. It is assumed that you have traffic that flows inbound and then returns over the same path (through the PIX) outbound.

You need to go check the documentation and look at security levels. That defines how data will flow inside, outside and through all other interfaces.

Liberty for All,

Brian
 
Upvote 0 Downvote
Brian:

Thanks for the reply. Right now, with this experimental setup, it appears the traffic is flowing in "outside2" (ethernet5), but is trying to flow out "outside" (ethernet0). So the PIX blocks it.

If I remember correctly, outside is security0, inside is security100, dmz1 is security10, dmz2 is security20, dmz3 is security30 and outside2 is maybe security1. If I understand what you're saying, if I were to flop the security levels for outside and outside2, all outbound traffic would flow out through outside2? (Of course, the PIX would block that, too, since it's going out a different interface than it came in.)

Thanks!

Dan
 
Upvote 0 Downvote
HI.

The flow goes by the routing table.

route outside 0.0.0.0 0.0.0.0 ...

I don't think that pix supports more the one default gateway, but you can check.

The security levels are used as the basis for access control and for nat, while access-list and other commands are generaly used as exceptions.
The security levels do not take a part for routing decisions.

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Dan,

By default traffic on an interface with security level =1 should be able to get through the outside (since the outside =0). Return traffic should make it back to that same interface. Check your default route.

Liberty for All,

Brian
 
Upvote 0 Downvote
Our default route goes to our Cisco 7206, which handles the fractional T-3. We have a Cisco 2610 which handles the two T-1s. They're both physically connected to the same network, and they have complementary IP addresses. In other words, both routers are local to each other for the most part. We have 5 full Class-C-level blocks (three really are Class C's, while the other two are each that size in the Class A area. In two of the blocks, both routers have IP addresses in the same subnets. (For example, the 7206 would have 1.2.3.1 and the 2610 would have 1.2.3.2.)

Is there any intellegent way to route the traffic that came in a T-1 through the firewall, to the appropriate host residing behind the firewall, and return the traffic back the same path? Right now, I've only been able to get it to work with traffic coming in the T-3.

Thanks!

Dan
 
Upvote 0 Downvote
Dan:
Did you have any luck with your experiment? We wanted to do same thing (use two outside interfaces on a 520) but have been told it can't be done either. Keep us posted please. Thanks, Fred
 
Upvote 0 Downvote
No. Does anyone know the "right" way to do this? I can't get the PIX to allow a static IP in anything but the T-3's block for anything behind the firewall. If the traffic is supposed to come in the T-1, can't we configure the routers to make sure it goes back that way?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
151
handle2110
handle2110
ttrsux
  • Locked
  • Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
376
ttrsux
ttrsux
Shad0wguy
  • Locked
  • Question
Unable to ping specific IP across interfaces, can ping on same interface
Replies
6
Views
484
Shad0wguy
Shad0wguy
Spork52
  • Locked
  • Question
Is this secure? Serving content from two servers with SSL
Replies
3
Views
301
ChrisHirst
ChrisHirst
xylax
  • Locked
  • Question
Redirecting HTTP traffic from INSIDE to OUTSIDE using ASA NATs
Replies
0
Views
161
xylax
xylax

Part and Inventory Search

Sponsor

Back
Top