Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Subnets behind a second pix

Status
Not open for further replies.
NetworkDOC

NetworkDOC

MIS
May 19, 2004
212
US
Here is what I want to accomplish:

I have a pix #1 515e, 2 dmz's (webdmz-172.16.1.1/24 & vpndmz-192.168.100.1/24), with an inside address of 192.168.0.1/24. I will be adding a second FW PIX located in another building. Pix#2 dmz3 10.1.1.1/24 with an inside interface of 192.168.0.2/24. I have coming in behind vpndmz a few different subnets from across the state for example 10.100.100.1/24.

My question is this? Can I allow traffic from a pc(10.100.100.19,one of the subnets behind the vpn network) and have it route to the second pix into the dmz3? The two pixes inside interaces are on the same subnet (192.168.0.1 & 192.168.0.2).

In my mind I think so. I think (once I configure the access-lists right) I only have to define a route on both PIxes for the subnets in their respective DMZ's.

For example: Pix 1

route webdmz 10.100.100.0 255.255.255.0 192.168.100.1 1
static (inside,vpndmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Then on PIX 2

route dmz3 192.168.100.0 255.255.255.0 10.1.1.1 1

static (inside,dmz3) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Can the PIX do this ok?
 
Sort by date Sort by votes
route webdmz 10.100.100.0 255.255.255.0 192.168.100.1 1
static (inside,vpndmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Then on PIX 2

route dmz3 192.168.100.0 255.255.255.0 10.1.1.1 1

static (inside,dmz3) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Can the PIX do this ok?"

You are going to have to use different subnets or you'll run into routing issues.


*****************

What's ADD again?
 
Upvote 0 Downvote
For which the DMZ or the inside?

That wouldn't be a problem, since the dmz3 doesn;t exist yet. That it?
 
Upvote 0 Downvote
NetworkDDC-

It can be done, but man it would be lot easier with routers...

Ok let me see if i understnad you exactly. A Pc(10.100.100.19) is coming from another state through the vpndmz side of the PIX. An you want to that traffic to access PCs/servers/traffic on the dmz#3 on PIX 2(10.1.1.0/24)?

Well for that traffic to end up on the vpndmz side I am assuming there is a router between the vpndmz and another state. With that said the router will have to route traffic to the the Pix #1. Now the Pix #1 will have to have a state like this...

route inside 10.1.1.0 255.255.255.0 192.168.0.1

I am also going to assume you do not want NAT performed on this traffic correct? So then I would issue this coomand as well...

access-list 105 permit ip 10.100.100.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list 105

You will need the same for coming back the opposite way too; just change the IP's.

Frank

 
Upvote 0 Downvote
For which the DMZ or the inside?"

I'd change the network for the dmz3--especially since it's not created yet. Maybe 192.168.1.0/24 or something else routable.

Roland



*****************

What's ADD again?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
332
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
651
Sparrow4
Sparrow4
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
467
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
212
quar
quar

Part and Inventory Search

Sponsor

Back
Top