Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using Two External Interface Cards on PIX 515

Status
Not open for further replies.
PaulSan

PaulSan

IS-IT--Management
Aug 13, 2002
2
US
Is this Possible? I have two Internet sources that I want to connect to each of the two 'External' interfaces on the PIX515e.
One of the connections is for internet access. It works great. The other is for inbound Internet email that is to be forwarded to a machine sitting between the PIX and our ISA server (it is running MailSecurity).

Here's what I've added for the imail interface:

ip address outside ###.###.###.115 255.255.255.0
ip address inside ###.###.###.6 255.255.255.0
ip address imail ###.###.###.36 255.255.255.128

access-list acl_smtp permit tcp any host ###.###.###.36 eq smtp
static (inside,imail) ###.###.###.36 ###.###.###.4 netmask 255.255.255.255 0 0
access-group acl_smtp in interface imail

When I try to test to port 25 via telnet I get a "connection actively refused" message.

Any suggestions would be helpful.


 
Sort by date Sort by votes
HI.

The pix can have only 1 default gateway, so it can not have 2 outside interfaces that connect to the Internet.

You can do this with a router.

You can also purchase an additional pix firewall for the mail server only, or to use IOS firewall on the router that is used for the mail server.

Of course it depends on your exact scenario which we can not know exactly the environment.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for your help. You confirmed what I suspected. I'll have to go in a different direction.
 
Upvote 0 Downvote
On the outside router that the Pix uses as a default gateway, you can use Policy routing to route packets out the different internet connections based on the source address.
 
Upvote 0 Downvote
I'm not sure why you're having the problems yet, but I don't see why you can't do what you want to do. It's true the PIX can only have 1 default gateway, but your 'mail interface' is for incoming mail which should still accept a connection and pass it to an interface with a higher level security via the static command.

The only 'issue' (if it's really even an issue) is that all outbound email will be going out the outside interface via your other network and not the network it came in on.

Iota
 
Upvote 0 Downvote
I spoke with cisco tac on a config similar to this. I have a 515 that goes to th internet via 2621 and also goes to a WAN site via 2501 the only thing I had to do was setup a vpn between the 2501 and the pix and set route statements for the WAN traffic to go out int e1 and internet out e0
I have yet to set up the traffic for the wan site but cisco tac seems to think it should work
any suggestions / thoughts
thanks
jdl
 
Upvote 0 Downvote
Appologies for unearthing an old post, but would it not be possible to connect a secondary internet access point to a different interface on the PIX, then set up a route for it in the configuration, then, for example, use it as a PAT address?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
152
hairlessupportmonkey
hairlessupportmonkey
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
89
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
97
mcisar
mcisar
ttrsux
  • Locked
  • Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
130
ttrsux
ttrsux

Part and Inventory Search

Sponsor

Back
Top