outside initiated traffic to access internal network range through pix firewall with translation

- W
- Wehay
  
  Contact options for registered users
posted
19 years ago

Sat, Mar 19, 2005 5:25 PM

Hi,

I have a pix sat between 2 internal networks:-

(inside)10.0.0.0 ----> Pix

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Sat, Mar 19, 2005 6:23 PM

In article , Wehay wrote: :I have a pix sat between 2 internal networks:-

:(inside)10.0.0.0 ----> Pix

- W
- Wehay
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Sat, Mar 19, 2005 7:40 PM

Walter,

Wow thanks for taking the time to go into all that for me. I feel some what ashamed of the description i gave now. i'll explain the full scenario.

We are implementing a MPLS network to connect the european sites together. there will be 4 sites and an internet gateway. the main site SITE1 will be where all the main systems are, and this has 2x 2mb circuits with dual hsrp and those CE routers are connected to a switch which i have enabled 3 ports TRUNKED (2 for the routers and 1 for the outside interface of the PIX) as the internet link will be delivered to my PIX firewall as a VLAN (ios

6.3(4)).

SITE1 :- has internal address range 10.0.0.0/22 but they will be advertised on the MPLS as /23 as to do some crude load balancing, the network range between the CE router and the PIX is the 192.168.1.x range.

SITE2:- has internal address range 10.0.4.0/22 but the CE router is sat on directly on that network.

SITE3:- 10.0.8.0/22 as site2

SITE4:- 10.0.12.0/22 as site2

and yes you were right i am trying to use the PIX as a transparent filter, but to give us the control of which ports are open and shut. as well as Terminate VPN's, and be the internet gateway for all sites.

I need SITE2 (and the others) to be able to access the central systems on SITE1 by using the 10.0.0.x ip address else the "crude load balancing" (10.0.0.0/23 & 10.0.2.0/23 being advertised) will be ignored as i'd have to access the systems by publishing 10.0.0.x as 192.168.1.x.

by what you've said it sounds like my hands are tied and i'll either have to hope IOs Ver7 is released in the next couple of days or i'll be publishing them on the 192.168.1.0 network.

Much Appreciated!!

- W
- Wehay
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Sun, Mar 20, 2005 7:26 AM

Just a thought,

We do have another pix setup in which I have the DMZ (172.16.2.0/24) access the Internal network (172.16.1.0/24) directly. On the PIX i am trying to set up i have a 4 port network card added.

Could I advertise the 192.168.1.0 network out of one of the "DMZ" interfaces and treat that as the outside interface and disable the Outside interface (ethernet0)?

If so how? i've tried all the config i can think of but still not getting any joy.