External interface problems...

[JoyriderUK]

Branch office - 10.4.0.0
Main office - 10.1.0.0


External interface of our PIX is connected to our providers router.

The router passes packets from the internet on its serial interface, as well as packets from a PVC from our branch offices.

We need NAT to work out to the big wide world... from the 10.4.0.0 and 10.1.0.0, but no natting between the sites.

We cannot get the 10.4.0.0 packets to go through the PIX and into the 10.1.0.0 network!!!

Any clues or gotchas? Will the security levels on the interfaces allow this?

 

[routerman]

Does the PVC terminate on the providers router attached to the outside interface of your PIX?

If this is the case then you cannot do this with your current setup, the PIX will not allow packets entering an interface to exit the same interface. You would be able to get communication between the 2 internal networks, but the network down the PVC wouldnt be able to get to the Internet.

You would use NAT (0) with an access-list specifying no NAT between 10.1.0.0 and 10.4.0.0
Also add a static and and ACL to allow inbound traffic from the private network.

 

[JoyriderUK]

Thanks for the reply..

The PVC terminates on the providers router on the external interface.

I'd assumed that the in and out on the same interface problem would apply.

Perhaps another interface on the pix? or a router in front splitting out the traffic? to split out the public/private traffic..?

 

[yizhar]

HI.

You can configure the router to handle nat and routing, but the best solution is to redesign the network with an additional router and additional WAN link if needed.

The F.R. line to the branch will be with one router connected either directly to the main office network or to a dedicated pix interface (better).

An additional WAN link (FR/ADSL/T1/etc...) will be used to connect to ISP .

This will cost you but is the best solution both for security and network management.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[yizhar]

Yet another solution is to purchase an additional firewall for the branch office, reconfigure F.R. routers and ip addressing as needed, and establish a VPN between those 2 firewalls (main and branch).

I recommend my previous solution as the preffered option, but this is also a reasonable one.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[routerman]

The way I implemented a design like this was to use a proxy server on the inside network for all Internet access. Therfore the remote user connects to the proxy, and his Internet traffic comes from the proxy, so the PIX allows it back out.

Downside is that the remote users Internet bound traffic crosses the serial interface twice, which doubles the traffic load on that link.

I agree that the best way is to use an additional interface on the PIX. If the Internet router had an additional serial interface card added you could swith the frame-relay branch office PVC to the new router on the new PIX interface. This way you would not need to purchase an additional serial or DSL link.

 

[JoyriderUK]

I've given this some thought...

I'm going get our provider to allow the branch offices serial link to break out to the internet.. I'll stick another PIX at their side.

If I can get the PIX to let through the 10.4.0.0 traffic through the interface; then i'll do the same at their end with the 10.1.0.0 traffic.

I don't supposed any body would give me a hand with the list of commands necessary to let traffic from
10.4.0.0 in through outside interface to the internal interface; and back out again without using NATing.

Cheers

 

[JoyriderUK]

Folks.. you've saved me!

I've got the tunnels working. Nat exemption rules and access-lists rule the way!!

Thanks guys!