0

I've got two internet accessible /24 subnets, lets say 11.22.33.0/24 and 44.55.66.0/24 which I want to pass to servers using a private 10.0.0.0/24 subnet behind a PIX 506E

e.g. requests to 11.22.33.99 and 44.55.66.99 either both get sent to 10.0.0.99 or one gets sent to 10.0.0.99 and the other to 10.0.0.98 (don't need to use all 254 IPs internally, can reconfigure as 10.0.0.0/23 in future if that changes).

The 11.22.33.99/24 subnet is already configured and working, but I can't get the PIX to do anything with the 44.55.66.99/24 addresses.

Configuration is as follows.

INTERFACES

  • name / ip / vlan / hardware
  • inside 10.0.0.4/24 native eth1
  • outside 11.22.33.4/24 native eth0
  • outside2 44.55.66.4/24 vlan1 eth0

TRANSLATION RULES

  • inside 10.0.0.99/32 > static 11.22.33.99/32
  • inside 10.0.0.99/32 > static 44.55.66.99/32

STATIC ROUTE

  • outside 0.0.0.0/0 11.22.33.1

Access rules allow all ip and icmp traffic on 44.55.66.0/24 (will lock those down later)

Any suggestions for where I should be looking, or further information I need to provide? Thanks.

womble
  • 96,255
  • 29
  • 175
  • 230
thelem
  • 105
  • 5
  • every time i see someone using vlan1 in production i die a little inside. – Zypher Jul 12 '11 at 18:12
  • how about explaining why this is a bad idea and helping me to make better choices, instead of just being a smart a***. – thelem Jul 14 '11 at 07:09

1 Answers1

1

  1. The PIX has no hope of figuring out what you want to do if you try and point both a 11.x.x.x and 44.x.x.x IP to the same internal IP. It has to pick one IP or the other to respond with. If you are doing raw static mapping and not port level stuff, then keep to one outside to one inside.

  2. If you are using VLAN1 then your switch had better be able to peel that off and get the packets where they need to go. And if that place is a second router then it probably won't ever work. You can only have one default route. You can't ever get random traffic from the web to go back out the interface it came in on, it always goes out the default. You gotta move up to stuff like BGP to beat that.

  3. Alternately, does the router at 11.22.33.1 also route 44.55.66/24? If so, you probably don't need the VLAN1 interface and the outside2 interface. The PIX will just route the packets there. As long as that router knows to send that subnet to the PIX the static lines will be enough for the PIX to answer and pass-thru.

If 3. is the case, you should be able to drop the outside2 interface and the overlapping statics and it should just work.

Mark
  • 2,248
  • 12
  • 15
  • 1. OK, we'll go for different internal IPs then. 2. It's not our switch, it's the data centre switch. 3. We tried that but it didn't work, let me check which configuration we had for that – thelem Jul 13 '11 at 11:00
  • Thanks - this is now working perfectly, no vlans in sight! Turns out one of the many previous configs we'd had was right, but the data centre hadn't set it up correctly at their end! Your answer helped me understand what was happening though. – thelem Jul 13 '11 at 11:49