PIX/Linux/ADSL2 Routing/NAT Issue.

Gday all.... got a few q's on how to properly implement & correct a routing problem i have. Consider the following physical network:

LAN --- (Switch) --- Linux --- (Switch) --- ADSL2+ Modem +------ PIX -------+

Linux Int - 172.30.1.254, Ext- 172.30.250.254 PIX Int - 172.30.1.251, Ext- 172.30.250.251 ADSL - 172.30.250.250 ADSL External has static IP - 1.2.3.4

The LAN has the Linux box as its default gateway. This linux box is NAT'ing this into the External Network, and the ADSL2 modem is NAT'ing the external to the Internet.

The External interface of the PIX is defined as the 'DMZ' host in the ADSL modem, so it receives all requests hitting the external interface. This PIX then forwards on the requests to the appropriate LAN server (mail + web etc). This PIX is also a PPTP/IPSEC Vpn server to allow internet users to log into the LAN.

Now...why do it like this? I want the IPSec/Firewall features of the PIX, but the PIX is a 10 user 501, which only has 10mbit interfaces, and my ADSL2 connection is 24mbit, and I have around 30 machines on the LAN.

Now, the problem. All the LAN users have no hassles accessing the internet correctly. External services though...this is the issue. When a user, for example, connects to port 25 for a SMTP session, hits the

1.2.3.4 address, the pix forwards it on to the correct server. When the TCP stack on that server replies with its SYN/ACK though, it gets sent back via the Linux machine, being the default route. This confuses the ADSL modem, which treats it as a new packet, re-nat's it, and sends to back to the user. The user's machine then replies with a RST because it doesnt understand what the hell is going on. Hence the connection fails. What to do? I am puzzled. Any help would be fantastic - cheers!!
Reply to
Skymaster
Loading thread data ...

FYI, The 10 Mbit outside interface restriction was removed in 6.3(1). (But the 10 user license remained unchanged.)

Reply to
Walter Roberson

Is there somewhere I can get a copy of this easily? Or would it involve me handing over money to Cisco?

Walter Robers> > >Now...why do it like this? I want the IPSec/Firewall features of the

Reply to
Skymaster

In article , Skymaster wrote: [PIX 6.3(1)]

It depends on what your current version is. If you are in PIX 6.2 now then you -might- be able to wrangle it through judicious use of the PIX Security Advisories, but you'd need to look at them carefully and be prepared to argue your case. (Security Advisories don't normally allow you to upgrade.)

Reply to
Walter Roberson

Two nats is one too many. NAT at the edge of the network only.

Reply to
Dom

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.