ASA - PIX routing problem

[Silencer99]

Hi there,

I have two internet connections and two firewalls. The first one is a Cisco PIX 501 and the second one is a Cisco ASA 5505 (basic license). Here is de basic config for both devices.

PIX 501:
Outside - Internet connection /29 (8 IPs)
Inside - 192.168.1.0 /24 - a few servers connected to the inside interface. All servers have static IPs and the default gateway set to 192.168.1.254 (PIX IP). Every server has it's own internet IP.

ASA 5505:
Outside - Internet connection /27 (32 IPs)
Inside - 192.168.2.0 /24 - a few servers connected to the inside interface. All servers have static IPs and the default gateway is set to 192.168.2.254 (ASA IP). Every server has it's own internet IP.

The networks are not linked to eachother and this is working very well. Now I have to link the two devices, because one server connected to the ASA needs to be accessible from an outside IP from the PIX.

Example:
PIX internet IP: 10.0.0.50 is mapped to inside IP 192.168.1.50. This IP needs to be routed towards the ASA, so it will become 192.168.2.50 and the IP can be used as an extra IP on the NIC and hold the same default gateway as the other IP's on the NIC.

This is what i have now (not working at all):
- Created a new interface on the ASA, with IP 192.168.1.50 (interface cannot use the outside interface, which is fine)
- Created a NAT rule to map 192.168.1.50 to 192.168.2.50 (don't think this is the right way)

Can you help me with this setup? I prefer using ASDM.

 

[Supergrrover]

Can you give a topology of this?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Silencer99]

Sure,

IP 192.168.2.50 needs to be reached and go out to the internet using a specific outside IP of the x.x.x.x range (Webserver).

The NIC on that server has multiple IPs assigned to it in the 19.168.2.0 subnet, so it cannot be moved to the 192.168.1.0 subnet.

 

[Supergrrover]

How are the ASA and the PIX connected to each other right now? Where is 192.168.1.50 assigned to the ASA at the moment?

You could make a DMZ on the ASA and make it in the 192.168.1.0/24 network. Set up a 1to1 NAT from 192.168.1.50(ASA-DMZ) to 192.168.2.50 (you will need the whole IP here, no PAT) and corresponding ACL. Then setup NAT on the PIX to point one of the x.x.x.x addresses to the 192.168.1.50 address with corresponding ACL.

I don't think there is any other way to do it but someone else might be more inventive than I...

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Silencer99]

Last weekend i tried some settings very similar to your idea.

On the PIX NAT and ACL is set up and working (tested with the server connected directly to the PIX and server given IP 192.168.1.50). NAT is translating x.x.x.50 <> 192.168.1.50.

On the ASA i created a new inside (inside2) interface with IP 192.168.1.50. I thought all data that (in the old situation) flows to the server, in the new setup flows to the ASA interface. In the ASA i created the same NAT and ACL rules as in the PIX, translating 192.168.1.50 <> 192.168.2.50 network.

I tested this setup, but no success.

 

[PScottC]

I think your problem is routing related. You have 2 firewalls on 2 different internet connections. How would I route to an x.x.x.x/32 address that resides on a firewall on the y.y.y.y/27 network?

The ASA won't stop you from putting the x NAT in the y network, but it does expect that the upstream device knows that the x address exists on the same path to y.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers