Configure 2 outside interfaces

[tonymullen]

I'm fairly new to the pix firewall and am looking to configure a second outside interface on our existing firewall. Why? Well, currently we have our internal network, a DMZ & an outside interface that handles all traffice. I want the current interface to only handle our business critical VPN traffic. I have a second ADSL line that I want to use for email & web browsing traffic to keep it away from our main line.

So, I've got a spare interface on my Pix so I thought I'd configure that. I gave the interface a name and an IP address on the new outside range. Added an access-list and a new global line for that interface to mask the ip address to one of our new external addresses.

Everything seemed to be OK, but I'm struggling with the route part. We currently have a "route outside 0.0.0.0 0.0.0.0 internet_router_extip 1". I now have an interface called adsl and I want to configure a single device (our proxy server) to use this interface. So, I added a route:
route adsl intipaddr_of_proxy 255.255.255.255 ip_addr_of_adslrouter 1

As soon as I pressed enter I lost all connection to the firewall for everyone - not good. A reboot solved it 'cos I hadn't save it so we are ok now. I'm sure that I've misunderstood a fundemental rule with the pix, but I don't know what.

Any advice greatly appreciated,

Tony

 

[Arisap]

can you supply the config. Check the security level of this interface and make sure it is differenet than all other interface numbers. I would use the "outside" interface for Internet traffic and configure the additional interface for the VPN connections. In the access-list for the VPN interface make sure you allow the network for the inside. Also, what PIX model and IOS version R U running?

 

[tonymullen]

OK, config below without necessary changes (I had to reboot it when I panicked after breaking it). Pix version 6.2, pix model: 515.

I know it would be easier to have the outside interface for internet traffic if I was configuring this from scratch. Unfortunately there are 5 existing VPNs with external sites that all run business critical applications over the VPN so that is not really an option.

Basically, I'm after using the ethernet3 interface (which I'll rename to adsl instead of pix/intf3). I didn't change the security level so it was set to 15.

I only really need to specify by IP address (or range of Ip address) which PC should use the new interface (we are using a proxy server). I also need to nat a couple of the external addresses on the new interface to some internal PCs (for email & a company web server).

If anyone can point me in the right direction then I'd be grateful.



Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 pix/intf3 security15
enable password
passwd Wasdj/afdaseeekh encrypted
domain-name acme.co.uk
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

Names....... (removed for security)

access-list from_outside permit tcp any host nat_tim eq lotusnotes
access-list from_outside permit icmp any any unreachable
access-list from_outside permit tcp host US_Notes host nat_tim eq ftp
access-list from_dmz permit udp host viruswall any eq domain
access-list from_dmz permit tcp host viruswall any eq www
access-list from_dmz permit tcp host viruswall any eq https
access-list from_dmz permit tcp host viruswall any eq ftp
access-list from_dmz permit tcp host viruswall any eq smtp
access-list from_dmz permit icmp any host viruswall echo-reply
access-list from_dmz permit tcp host viruswall any eq domain
access-list from_dmz permit udp host viruswall host nemo eq 14247
access-list from_dmz permit tcp host proxserver any eq domain
access-list from_dmz permit tcp host proxserver any eq www
access-list from_dmz permit tcp host proxserver any eq https
access-list from_dmz permit tcp host proxserver any eq ftp
access-list from_dmz permit udp host proxserver any eq domain
access-list from_dmz permit tcp host proxserver any eq telnet
access-list 199 permit ip warrington 255.0.0.0 france 255.0.0.0
access-list 199 permit ip warrington 255.0.0.0 germany 255.0.0.0
access-list 199 permit ip warrington 255.0.0.0 sweden 255.0.0.0
access-list 199 permit ip warrington 255.0.0.0 flimby 255.0.0.0
access-list 199 permit ip any remote_users 255.255.255.0
access-list 199 permit icmp any host centennial
access-list 199 permit ip warrington 255.0.0.0 murtosa_net 255.255.255.0
access-list 115 permit ip warrington 255.0.0.0 flimby 255.0.0.0
access-list outside_cryptomap_dyn_20 permit ip any remote_users 255.255.255.0
access-list 101 permit ip warrington 255.0.0.0 france 255.0.0.0
access-list 101 permit ip ukdmz 255.255.255.0 france 255.0.0.0
access-list 111 permit ip warrington 255.0.0.0 germany 255.0.0.0
access-list 112 permit ip warrington 255.0.0.0 sweden 255.0.0.0
access-list outbound permit tcp any any eq domain
access-list outbound permit udp any any eq domain
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp host tim host viruswall eq smtp
access-list outbound permit icmp any any
access-list outbound permit tcp host tim any eq lotusnotes
access-list outbound permit ip any france 255.0.0.0
access-list outbound permit ip any sweden 255.0.0.0
access-list outbound permit ip any flimby 255.0.0.0
access-list outbound permit ip any germany 255.0.0.0
access-list outbound permit tcp any host viruswall eq 2033
access-list outbound permit tcp any host viruswall eq 14247
access-list outbound permit tcp host centennial host x.x.x.x eq telnet
access-list outbound permit tcp any any eq 2130
access-list outbound permit tcp any any eq 5081
access-list outbound permit tcp any any eq 4899
access-list outbound permit tcp any any eq lotusnotes
access-list outbound permit tcp host tonym any
access-list outbound permit tcp host centennial any
access-list outbound permit tcp any any eq 1709
access-list outbound permit tcp host tim any eq lpd
access-list outbound permit tcp any host proxserver eq 8080
access-list outbound permit tcp any any eq lpd
access-list outbound permit tcp host edi host mosaic eq pop3
access-list outbound permit tcp host edi host mosaic eq smtp
access-list 116 permit ip warrington 255.0.0.0 murtosa_net 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap warnings
logging host dmz viruswall
logging host inside tonym
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu pix/intf3 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.254
ip address inside 100.100.200.50 255.0.0.0
ip address dmz 172.16.0.1 255.255.255.0
ip address pix/intf3 127.0.0.1 255.255.255.255
ip audit name inbound-attack attack action alarm drop reset
ip audit name inbound-info info action alarm
ip audit interface outside inbound-info
ip audit interface outside inbound-attack
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip local pool nbuk 172.16.254.1-172.16.254.100
ip local pool tonym vpn_tonym
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address pix/intf3 0.0.0.0
pdm lines
pdm logging warnings 150
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x netmask 255.255.255.240
nat (inside) 0 access-list 199
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp proxserver 8080 proxserver 8080 netmask 255.255.255.255
0 250
static (inside,outside) nat_bos bos netmask 255.255.255.255 255 0
static (inside,outside) nat_tim tim netmask 255.255.255.255 255 0
static (inside,outside) nat_nemo nemo netmask 255.255.255.255 255 0
static (dmz,outside) nat_viruswall viruswall netmask 255.255.255.255 25 0
static (inside,outside) nat_eric eric netmask 255.255.255.255 255 0
static (inside,dmz) 100.100.200.0 100.100.200.0 netmask 255.255.255.0 0 0
access-group from_outside in interface outside
access-group outbound in interface inside
access-group from_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 internet_router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 130.88.200.6 source outside
http server enable
http vpn_tonym 255.255.255.255 outside
http 100.100.200.51 255.255.255.255 inside
http tonym 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server dmz viruswall c:\pix
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pixset esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set pixset
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address 101
crypto map testmap 10 set peer x.x.x.x
crypto map testmap 10 set transform-set pixset
crypto map testmap 30 ipsec-isakmp
crypto map testmap 30 match address 111
crypto map testmap 30 set peer x.x.x.x
crypto map testmap 30 set transform-set pixset
crypto map testmap 50 ipsec-isakmp
crypto map testmap 50 match address 112
crypto map testmap 50 set peer x.x.x.x
crypto map testmap 50 set transform-set pixset
crypto map testmap 70 ipsec-isakmp
crypto map testmap 70 match address 115
crypto map testmap 70 set peer x.x.x.x
crypto map testmap 70 set transform-set pixset
crypto map testmap 80 ipsec-isakmp
crypto map testmap 80 match address 116
crypto map testmap 80 set peer murtosa_firewall
crypto map testmap 80 set transform-set pixset
crypto map testmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map testmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address murtosa_firewall netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup tonym address-pool tonym
vpngroup tonym idle-time 1800
vpngroup tonym password ********
vpngroup johnm address-pool nbuk
vpngroup johnm idle-time 1800
vpngroup johnm password ********
vpngroup miker address-pool nbuk
vpngroup miker idle-time 1800
vpngroup miker password ********
vpngroup johnl address-pool nbuk
vpngroup johnl idle-time 1800
vpngroup johnl password ********
vpngroup markb address-pool nbuk
vpngroup markb idle-time 1800
vpngroup markb password ********
vpngroup denniss address-pool nbuk
vpngroup denniss idle-time 1800
vpngroup denniss password ********
vpngroup tonyw idle-time 1800
vpngroup tonyw password ********
vpngroup martinb address-pool nbuk
vpngroup martinb idle-time 1800
vpngroup martinb password ********
telnet vpn_tonym 255.255.255.255 outside
telnet bos 255.255.255.255 inside
telnet 100.100.200.51 255.255.255.255 inside
telnet tonym 255.255.255.255 inside
telnet centennial 255.255.255.255 inside
telnet 100.100.200.109 255.255.255.255 inside
telnet timeout 15
ssh timeout 15
terminal width 80

 

[baddos]

What you would have to do is set the route on your proxy server not the PIX.

Example

ADSL router IP is 10.10.10.1
Internal NET is 192.168.0/24
Proxy's IP is 192.168.0.2
PIX's Inside IP is 192.168.0.1

You'll need to have a router on the Inside or manually add static routes to the proxy server. Basically, you'll have the default route for the proxy server be 10.10.10.1. Then you'll add a static route on the proxy server for the 10.10.10.0 subnet. On a Windows NT/2000 machine, it will look like this "route -p ADD 10.10.10.0 mask 255.255.255.0 192.168.0.1".

This way your PIX's default route will still be to the outside interface for your VPN, etc., but the proxy's default route will be the ADSL router.

-Bad Dos

 

[tonymullen]

thanks bad dos, that makes some sense. Seems a bit messy, but it looks like it should work. I'll give it a go over the weekend (I've learnt my lesson with editing a live pix while everyone is using it).

 

[yizhar]

HI.

In addition to "baddos" suggestion - I recommend connecting the internal interface of the proxy server to the spare interface you have on the pix (eth3), and the external interface of the proxy, directly to the router of 2nd adsl connection.
If needed, add a NIC to proxy server for that purpose.
You will also need to harden the proxy server when connecting it that way, because the firewall isn't protecting it. The adsl router should also be carefuly configured.

Another method is to use policy based routing.
This can be done in many ways, one of them is to place a router with 2 WAN links (to each ISP connection), and a single Ethernet connection (to the pix outside interface).
Then a proper configuration at the router can distribute the traffic as you wish.
With that solution (policy based routing), you don't need to change anything in the internal network design.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[tonymullen]

OK, I've tried a couple of things now.

One was to add a static route to the dmz for the adsl router
so:

static (adsl,dmz) int_adslrouter ext_adslrouter netmask 255.255.255.255 255 0

I then added this as the default gateway for my proxy server and tried to access the web from the proxy. I'm not sure I understand why, but when I check my ip address on the web it is still that of the old gateway (I have also added a static route for the proxy server to the adsl interface so it does have an ip address on that end).

I think this is bad dos suggestion as far as I understand it.

I really don't want to put the proxy server on the same interface as the adsl router if I can help it - that is my last resort.

I know there is also the router option, but I'd prefer not to have to purchase any more kit unless it is absolutely necessary.

The only other thing I've tried is that someone else suggested changing the global route on the pix to the new interface and adding specific routes for each vpn connection.

This seemed to work up to a point - in that everything destined for the internet went over adsl, but when I tried to access the vpn it did try and go over the old interface but came up with the error on the logs:
%PIX-3-305006: regular translation creation failed for src inside:tonym/1761 dst outside vpn_ipaddress/25

Actual steps to do this last one were:

1. Changed the inteface name and IP address
2. Deleted the current global line
3. Added a new global line for adsl

4. Used telnet to create the access list

5. Could connect to the internet using the adsl line (checked using tracert that it was using the new line)

7. Added a route using the gui on the outside interface for both the internal address of the remote vpn connection & the external address of the remote firewall to the ip address of the old router

6. added a nat (outside) 1 0.0.0.0 0.0.0.0 line

When I don't add the route, as you expect I get a different error saying that it cannot vpn on the adsl interface.

Thanks for any help you can give me (sorry that these posts are all so long, but there is a lot of information to give).

Tony

 

[tonymullen]

Right, got this working by adding individual routes to the old interface for each vpn link (both int address and ip of remote firewall). had a default route of the new adsl line & it works.

Unfortunately, all of my old nats stopped working. I don't think you can do this, but is it possible to have 2 nats to the same address working at the same time. I want to have my old natted address to our server running at the same time as the new one from the adsl line. I don't think it will work because the server does not know how to get back out over the old line?

Tony