We have 2 ISP connections to our PIX 515UR coming in on
2 interfaces, another interface is our "dmz", and the
fourth is our "inside". I'm having trouble trying to
configure the PIX to have 1 server in the "dmz" answer
to connections from 1 ISP connection, and all other
servers answer on the other ISP connection. I have a
nasty feeling I may have to get another NIC and run a
second "dmz", or even get another PIX :(
Does anyone know if this is possible?
I have set up the following configuration:
nameif ethernet0 isp2 security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 isp2 security10
nat (inside) 1 0
nat (dmz) 2 y.y.y.5 255.255.255.255
nat (dmz) 1 0
global (isp1) 1 x.x.x.100
global (dmz) 1 y.y.y.100
global (isp2) 2 z.z.z.100
static (dmz,isp1) x.x.x.1 y.y.y.1
static (dmz,isp1) x.x.x.2 y.y.y.2
static (dmz,isp1) x.x.x.3 y.y.y.3
static (dmz,isp1) x.x.x.4 y.y.y.4
static (dmz,isp2) z.z.z.1 y.y.y.5
conduit permit tcp host x.x.x.1 eq www any
conduit permit tcp host x.x.x.2 eq www any
conduit permit tcp host x.x.x.3 eq www any
conduit permit tcp host x.x.x.4 eq www any
conduit permit tcp host z.z.z.1 eq www any
conduit permit icmp any any
:above line for testing only
route isp1 0 0 x.x.x.254
route isp2 0 0 z.z.z.254
where x.x.x.0 are my isp1 network addresses, y.y.y.0 is
my dmz private addressing, and z.z.z.0 are my isp2
network addresses.
If I try to access the servers x.x.x.? from the
internet everything is fine, and if I try to start
connections from the servers x.x.x.? everything is OK -
they use the ISP1 router.
If I try to connect to z.z.z.1 from the inside
everything works. If I try to ping or connect to
z.z.z.1 from the internet it doesn't work. If I try to
tracert from z.z.z.1 to a host on the internet I get
the following error in the log:
305006: regular translation creation failed for icmp
src dmz:y.y.y.5 dst outside:207.46.130.149 (type 8,
code 0)
I guess that incoming connections to the server on port
80 fail because the server is unable to send packets
back to the requesting host.
If I remove the nat (dmz) 2 y.y.y.5 255.255.255.255
command the server can now perform a tracert, but it
goes out through ISP1. Again a host connecting to port
80 on this server fails because the return packets
cannot be sent to the ISP1 router, and the PIX doesn't
appear to pass them to the ISP2 router.
Is it possible to configure the PIX so that servers in
the dmz are mapped to specific routes? If not, is it
possible for me to add another interface and have dmz1
mapped to isp1 and dmz2 mapped to isp2? If the answer
to both of these is no then it looks like I will have
to put this 1 server on the outside of my firewall and
do my best to harden it, or buy another firewall :(
Please help, I'm at my wits end trying to sort this out.
Dan
---
D.C. Crichton email: [EMAIL PROTECTED]
Senior Systems Analyst tel: +44 (0)121 706 6000
Computer Manuals Ltd. fax: +44 (0)121 606 0477
Computer book info on the web:
http://computer-manuals.co.uk/
Want to earn money? Join our affiliate scheme!
http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
