PIX interfaces

Hello

We are not supposed to assign an IP address for the PIX interfaces with a subnet mask 255.255.255.255.

But why so and when a subnet mask 255.255.255.255 is used in general (even in a context of no - PIX)?

(I noticed the subnet mask 255.255.255.255 attributed to the IP address of a host that connects to the Internet (a single dial-up connection).

Could someone help me understand this concept of 32 mask?

Thanks and greetings

S. Lora

The mask associated with an interface of PIX, or any other network equipment or hosts that same Win hosts (except dialup), determines the subnet range. To be able to communicate, you must have at least 2 hosts located on the same subnet or similar, otherwise the layer 2 Protocol will not be able to reach another host on that subnet.

The case of dialup, is special, because Microsoft does not respect the principle of the subnet to breast DUN (network of remote access to Win driver). Microsoft, similarly, is not sure to IP address of the modem router provided by the access server, MS put the host IP address in the gateway field. In other words, a host of Win always send packets across the network PPP (remote connection) when they are intended for someone other than him. It is used when the host of numbering has only 1 interface, but what happens when this host is communicating with an access network remotely via a modem and a LAN at the same time. In the world of MS, this does not work. You need a special type of software to work around this poor implementation. Just to say that the network mask does not matter in the world MS dialup, you can find 255.255.255.255.

Kind regards

Ben

Tags: Cisco Security

Similar Questions

[email protected] / * / PIX Interface

I know and agree that the PIX does not meet the traceroute requestes @ external interface but I

VPN connections to other companies that have other brands of VPN (Nortel, sonicwall) boxes and they not beleave that.

I ve tried to find an official document from CISCO for

show them the reality, but I ve not found who

Who can help me?

HI -.

The PIX does not support the initiation of the traceroute command. It is not part of the set of commands for PIX.

Also read the following document:

http://www.Cisco.com/warp/public/110/pixtrace.html

Hope this helps - Jay.

Can the customer vpn to pix interface unprotected to a protected interface

I have a pix multi-interface, the description of the interface is as follows:

Outside-> 10MB to ISP

Inside-> vlan main

DMZ-> Web servers, etc...

Lab1-> test application servers

LAB2-> test application servers

etc...

Comments wireless-> free wireless (connected to the Cisco WAP)

The open wireless only has access to the internet, not one of the reliable networks. It is an untrusted interface (security lvl 1). The external interface is security 0.

I want to be able to allow vpn access from the wireless in networks of trust like vpn from outside (internet) is processed.

I guess that the pix sees a vpn connection attempt to another of its interfaces.

The client times out connecting since the wireless for the pix outside IP interface.

The pix records simply this:

January 20, 2009 13:38:23: % 7-710005-PIX: UDP request and eliminated from 192.168.20.5/1346 to GuestWireless:yy.yy.yy.yy/500

the external interface IP = yy.yy.yy.yy

the pix is also the dhcp server for wireless network connections.

Is it still possible? If so, what Miss me?

Thank you

Dave

To answer: -.

The leg wireless of the PIX is the security level 1, and the external interface is the security level 0. That would not mean that vpn is launched from a higher to a lower security interface? Yes but the traffic is clear--asked to terminate a VPN connection to an interface that is locally attached to the PIX effectivly in the inside of the unit. Sure that PIX will refuse the connection he received on the external interface of the interface without comment thread.

No it isn't the same thing, something like: -.

crypto ISAKMP enable GuestWireless - this indicates the PIX to listen and accept connections VPN ISAKMP/issues of ANY device connected to this interface FOR the GuestWireless interface.

HTH >

Incoming direction on the Pix interfaces

Access-group of statements always apply an ACL to an interface with the command "in the interface. The Pix docs say "this filter incoming packets to the given interface. I would like a clear definition of what's arrival. My understanding, according to the logic of the access lists that I have made a request, this incoming is-bound traffic in the interface of the Pix of the connected subnet. So for the following interfaces, traffic entering the following subnet provenance

outdoor - traffic from the Internet

inside - traffic from inside Lan

DMZ - traffic coming from the DMZ

I just wanted to check that, because it's contrasted with IOS router configs. My understanding is the following:

Outside the s0 interface - incoming list applies to incoming traffic from the Internet

Inside interface e0/0 - incoming list applies to incoming traffic traffic vs subnet towards inteface as in my example of Pix inside.

If someone could verify this, point me to a link or correct my examples?

Thank you

RJ

1. Yes, to filter incoming traffic in the interface

2 traffic can originate from anywhere, that is to say of many jumps/subnets away or directly connected before it hits the interface, but it moves to the interface. Same logic on pix and router.

3. Yes, to filter traffic leaving the interface

4 Yes, traffic position away from the router to the connected subnet or a destination of many jumps far (PIX has no more outgoing ACL)

Steve

3 interfaces and routing PIX

Hi all

I have a PIX 515E configured with 3 interfaces, exterior, Interior and a Tunnel interface to my VPN clients. VPN clients not only access within the network, I have to move them to other networks through the external interface. As you cannot route the IPSEC packets from the same interface its entry, which is why I used a separate interface for VPN clients. Default gateway is set to the external interface. Now the problem is that when the vpn users try to connect to Internet, Tunnel interface is getting traffic but does not send back as default route traffic is defined on the external interface.

Tunnel interface is 192.168.32.253 and if I connect from a pc with the ip address of 192.168.32.50, its works perfectly fine and also routing traffic to other networks through outside as PIX knows where to forward packets. Can someone please help me solve this problem of routing in PIX.

the Interior is 192.168.33.254 security 0

the outside is 192.168.34.254 security 100

The tunnel is 192.168.32.253 security 90

NAT (inside) - 0 110 access list

access-list 110 permit ip 192.168.33.0 255.255.255.0 any

Thanks in advance.

KAZ

Unless you know that networks, clients must connect to it may not be a solution, given that it looks like you need the default routes two, one for traffic encrypted clients and the other for traffic not encrypted Internet. You may be able to create a NAT pool in the router that provides Internet access to the Tunnel interface so that all incoming client traffic is coordinated in this router to an address from a pool. That would make all remote clients look like they came from a subnet, so you wouldn't need a default route on the interface of Tunnel in the PIX. You will probably need to do this router's Internet interface an interface 'ip nat inside' because I don't think that IOS supports dynamic NAT pools with 'ip nat outside source. It sounds backwards, but I think it would work. You'll probably also want to use an access list or with the pool route map, NAT to only apply to the traffic to the Tunnel from PIX interface (i.e. VPN traffic), as I'm assuming that the same router provides Internet connectivity for the interfaces from the outside and the Tunnel to the PIX.

Good luck!

Amount of the ACLs on an interface of the PIX

Hi all

I just wanted to know how much group-access entry (s) that you can attached to a 515ER PIX interface? I wonder if it's the same rule as the router, IE 1 ACL/interface/direction. En thank you your help.

Hi Vincent,.

You can apply to a single group-access on any pix interface... is not like in a router in a router, you can apply groups of incoming/outgoing access... On a pix you can apply only inbound access-groups...

I hope this helps... all the best...

REDA

Connectivity random Cisco Pix 501

Hello. I'm having some trouble with my CISCO PIX 501 Setup.

A few months I started having random disconnects on my network (from inside to outside). The machines can ping the DC or the Pix, but impossible to surf the internet. The only way to make them go outside is a reboot of Pix.

My configuration is:

-----------

See the ACE - pix config (config) #.
: Saved
: Written by enable_15 at 09:23:07.033 UTC Tuesday, June 3, 2014
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry34retyt7RR564 encrypted password
2fvbbfgdI.2KUOU encrypted passwd
hostname as pix
domain as.local
fixup protocol dns-length maximum 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list acl_out permit icmp any one
ip access list acl_out permit a whole
access-list acl_out permit tcp any one
Allow Access-list outside_access_in esp a whole
outside_access_in list access permit udp any eq isakmp everything
outside_access_in list of access permit udp any eq 1701 all
outside_access_in list of access permit udp any eq 4500 all
outside_access_in ip access list allow a whole
pager lines 24
Outside 1500 MTU
Within 1500 MTU
outside 10.10.10.2 IP address 255.255.255.0
IP address inside 192.168.100.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 10.10.10.8 - 10.10.10.254 (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group outside_access_in in interface outside
access to the interface inside group acl_out
Route outside 0.0.0.0 0.0.0.0 10.10.10.1 0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.10.2 255.255.255.255 inside
http 192.168.10.101 255.255.255.255 inside
http 192.168.100.2 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
ISAKMP nat-traversal 20
Telnet timeout 5
SSH 192.168.10.101 255.255.255.255 inside
SSH timeout 60
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
Terminal width 80
Cryptochecksum:7f9bda5e534eaeb1328ab08a3c4d28a
------------

Do you have any advice? I don't get what's wrong with my setup.

My DC is 192.168.100.2 and the network mask is 255.255.255.0

The network configuration is configured to set the IP of the gateway to 192.168.100.1 (i.e. the PIX 501).

I have about 50 + peers on the internal network.

Any help is apprecciate.

Hello

You have a license for 50 users +?

After the release of - Show version

RES

Paul

VPN client to PIX - no bytes received on client

I have a PIX with 6.3 (4) and the Client VPN 5.0.06.0110. I can establish a tunnel, but can not pass traffic beyond the PIX to the customer network. I ping the inside of the PIX, I believe that the tunnel is very well, but maybe the ACL is bad? Once the tunnel is established, under details statistics/Tunnel the bytes sent back, but the received bytes remaining to 0.

If someone would like to chime, I'd appreciate it.

pixfirewall # sh conf
: Saved
: Written by enable_15 at 14:45:50.611 UTC Tuesday, December 15, 2009
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable the encrypted password xxxxx
XXXXX encrypted passwd
pixfirewall hostname
domain xxx.com
fixup protocol dns-maximum length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
ICMP allow all outside
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside 209.xxx.xxx.248 255.255.255.255
IP address inside 192.168.27.2 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.10.1 - 10.10.10.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
NAT (inside) - 0 102 access list
Route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac gvnset
Crypto-map dynamic dynmap 10 transform-set gvnset
gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
gvnmap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address xxx.xxx.142.105 netmask 255.255.255.255
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 28800
vpngroup address ippool pool gvnclient
vpngroup dns 192.168.27.1 Server gvnclient
vpngroup gvnclient wins server - 192.168.27.1
vpngroup gvnclient by default-domain xxx.com
vpngroup split tunnel 101 gvnclient
vpngroup idle 1800 gvnclient-time
vpngroup password gvnclient *.
Telnet 192.168.27.0 255.255.255.0 inside
Telnet timeout 15
SSH timeout 60
management-access inside
Console timeout 0
Terminal width 80
Cryptochecksum:xxx
pixfirewall #.

Servers on the 192.168.27.0 network probably need a route that points the 10.10.10.0/24 network to the PIX. It is possible that your customer VPN traffic if he imagines, but the other end does not know how to get back.

PIX site to site and remote access

Dear guy

I have a PIX 515e with version 8.0 and the other side a 2811 router, the vpn site to site between these two devices is implemented, but I want some remote clients can connect to pix,.

so is this possibe two implement a site to access remote vpn on pix interface (outside)?

any clue?

Hello

Yes, it is quite possible. Please see attached the sample configuration. Note This is for pix v7.x, but it should work fine for 8.x

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807f9a89.shtml

HTH

Jon

Q for PIX-525 spec (failover FE) and the GBIC

Qestion for PIX-525 spec.

1 PIX-525-UR-GE-BUN(2GE + 2FE). I want to use 2GE as inside and outside interface and failover FE. I found a doc who must use the GE model 535 failover. Is it supports statefull failover FE model 525?

2 PIX-1GE-66 map PIX 525, is the built in card GBIC interface, or do I module GBIC order (ex, WS-G5484) to put into the card?

Thank you

1. the restriction on the use of a dynamic rollover interface that corresponds to the fastest interface on the PIX is the PIX 535. The PIX 525 cannot switch the line traffic GE rate if this restriction is lifted on the 525 platform. You can use a link FE on a PIX 525 as the dynamic link even if you have GE links as other interfaces.

2. the GE on the PIX interface card contains a multimode SC connector. No GBIC not necessary... just of cables.

I hope this helps.

Scott

A PIX-to-PIX VPN can allow traffic in only one direction?

Here is the configuration of the PIX 501 that accepts incoming VPN tunnels of the other PIX dynamic-ip. Everything works very well, allowing traffic to flow both ways after that the tunnel rises. But then I somehow limit or prevent the traffic that originates on the PIX (192.168.27.2) to go to other networks of PIX? In other words, if a tunnel exists (192.168.3.0 to 192.168.27.0), I only want to allow network traffic to access the network 27.0 3.0, and I want to anyone on the network 27.0 access network 3.0.

Thanks for any comments.

pixfirewall # sh conf
: Saved
: Written by enable_15 at 13:29:50.396 UTC Saturday, July 3, 2010
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
pixfirewall hostname
.com domain name
fixup protocol dns-maximum length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0
pager lines 24
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside xxx.xxx.xxx.248 255.255.255.255
IP address inside 192.168.27.2 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.10.1 - 10.10.10.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
NAT (inside) - 0 102 access list
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac gvnset
Crypto-map dynamic dynmap 10 transform-set gvnset
gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
gvnmap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP identity address
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool gvnclient
vpngroup dns 192.168.27.1 Server gvnclient
vpngroup gvnclient wins server - 192.168.27.1
vpngroup gvnclient by default-domain '.com'
vpngroup split tunnel 101 gvnclient
vpngroup idle 1800 gvnclient-time
vpngroup password gvnclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
Terminal width 80
Cryptochecksum:
pixfirewall #.

Of course, without a doubt capable.

You can configure the inside interface access list to deny traffic from 192.168.27.0/24 to 192.168.3.0/24, and then allow anything else.

Example:

access list for the Interior-acl deny ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0

the Interior-acl ip access list allow a whole

group-access Interior-acl in the interface inside

Hope that helps.

PIX 506 - cannot connect to PDM more

We have a PIX 506 in a test environment that has been configured in the past using Netscape. Now when we try to connect via https, Netscape says "unable to connect to the server (TCP error: i/o error). The PIX is version 6.1 (1) and PDM is 1.0 (2). I can connect via telnet and change the configuration, but I was not able to get the connection Internet work anymore.

I captured the connection with ethereal and I see 3 packets, the connection, then the client sends a SSLv2 Client Hello, then the PIX closes the connection. When I dump the telnet configuration, I get:

Enable http server

ClientName http 255.255.255.255 inside

where clientname is defined above in the name and the entries of "place of pdm.

The PDM installation guide has a troubleshooting section, and it says to make sure the clock is set to UTC. "show clock" indicates the time and date, but no area is listed.

You have changed the IP address on the PIX interface at some point? If so, try to regenerate public/private key pairs. Fox

> ca related rsa

> key gen rsa 512 AC

> ca save all

or you can just run the command 'setup' from config mode and it'll do all that for you. Then try to reconnect.

802 1 q tagging with PIX 6.3 (1)

Someone uses VLAN tagging with PIX 6.3 (1)? I could make an ethernet (eth0, for example) as port trunking to carry vlan2, vlan3/vlan4. But the PIX does not define ethernet as an access port 1 belongs to the vlan 2. Or if I try to assign ethernet3 belongs to vlan3, it would be rejected by the PIX also.

I thought that the concept of PIX to award port trunking and a VLAN access port must be the same happening with catalyst, but it looks like I'm wrong. Anyone can point the right direction?

Best regards

Engel

Engel: Configure the VLAN on the PIX is not the same what to do on the switch. The PIX interfaces are not configured as 'trunk' or 'access' ports ports. With the PIX, you can assign a vlan is a physical interface - or assign a vlan as a logical on a physical interface interface. And vlan is limited to a single PIX - physical or logical interface, here's an example configuration:

interface ethernet1 100full

physical interface ethernet1 vlan50

logical interface ethernet1 vlan60

logical interface ethernet1 vlan70

logical interface ethernet1 vlan90

interface ethernet2 100full

physical interface ethernet2 vlan20

interface vlan1 ethernet2 logical

logical ethernet2 vlan30 interface

logical interface ethernet2 vlan40

!

nameif ethernet1 Win2K security52

nameif ethernet2 NT4 security90

nameif vlan60 User60 security53

nameif vlan70 utilisateur70 security54

nameif vlan90 User90 security55

nameif vlan1 management security91

nameif vlan30 Novell security50

nameif vlan40 various security51

!

address IP Win2K 10.2.50.1 255.255.255.0

address IP NT4 10.2.20.1 255.255.255.0

address IP User60 10.2.60.1 255.255.255.0

IP utilisateur70 10.2.70.1 255.255.255.0

address IP User90 10.1.90.1 255.255.255.0

10.2.1.1 management IP address 255.255.255.0

address IP Novell 10.2.30.1 255.255.255.0

address IP Misc 10.2.40.1 255.255.255.0

I hope this helps!

PIX TTL values decreasing

This of course sounds abnormal. External interface of ping PIX,

$ ping 195.x.x.x

PING 195.x.x.x (195.x.x.x): 56 bytes

64 bytes from 195.x.x.x: icmp_seq = 0 ttl = 246 time = 7,393 ms

However, if I ping a box in the DMZ, things seem a little weird.

$ ping 195.x.x.x

PING 195.x.x.x (195.x.x.x): 56 bytes

64 bytes from 195.x.x.x: icmp_seq = 0 ttl = 55 time = 11,852 ms

I'm under 6.3 (1). I don't remember this behavior on earlier versions. If something has changed in the latest version.

Pointers are welcome.

I do not see why the PIX would decrement the values you seem when the ICMP packet passes through the PIX on the DMZ segment. My first guess would be that maybe the response to ICMP echo packet that you see in 195.x.x.x in the DMZ network does not take the same path as the package that strikes the PIX interface itself.

I would check the routing on the network and the DMZ itself host information. If this does not give you the answer, I would use the command "debug icmp trace" on the PIX to verify that in fact the echo and echo response is going through the PIX. You can also verify the ICMP packet with this debug information.

I hope this helps...

Marcus

Routes to PIX - Prioratization...

I use 6.2 (2) version of Cisco PIX. I configured on the PIX six DMZ. Out of these 2 demilitarized are configured for Internet - DSL and the other through a leased circuits.

I want to enable users to use Internet through DSL and another 5 (for example) 5 users using the Net via lines leased, all the simultnaeously.

Route outside 0.0.0.0 0.0.0.0 62.4.1.1

Dmz route 0.0.0.0 0.0.0.0 61.3.5.7

My problem is that off of the roads above, according to which gives a 1 metric that all 10 users above go through this path.

I had tried to give NAT for both sets of users through different interfaces as follows:

Global 1 62.4.1.2 (outside)

Global interface (dmz) 2

But both are trying to use the first route (if it has 1 metric) that is a default path to go to the net like I'm not able to control the route based on the origin. The current command line can base the destination road.

What is a solution or get around it?

In addition, where the DSL or leased circuit breaks down, I want all ten users to go throughthe interface that is in place.

Help, please.

Looking for routing based on the source, the Pix does not.

What you could do is rather to have the router for each connection NAT the source address as it comes. For example, the router NAT source addresses to 10.0.0.0/8. NAT router B to 172.16.0.0/20 source addresses. You then place the roads in the Pix that points correctly on both routers. Of course, the statements of nat/global on the Pix go to what traffic is NATted correctly for the ISP of this router.

The problem is coming out "load-balancing". The only way I know to achieve this, it is that both have two interfaces Pix inside too. This way you can have the router do routing based on the source inside of split the traffic between the internal source 10 IPs. On penetration. the traffic matches an ACL and roads some users on a single interface and the other on the other interface.

If you expect that Pix code 6.3, you will be able to use the secondary interfaces on the Pix interfaces. You can then use a single physical interface for the inside and the outside to have "two" interfaces. Of course, a decent router can already do multiple interfaces on a single interface. If all goes well, you use a decent router internally.

PIX interfaces

Similar Questions

Maybe you are looking for