RE: Multiple world connections into PIX

["DCSIM Subscriptions (IA)" <DCSIMSUBS () ia ngb army mil>]

And therein lies the problem: routes are global.
The capability for multiple routes is there for redundancy only, it seems.
I was thinking that once the session is built the PIX would be smart enough
to use the same interface for return traffic.  So far I've been
dissapointed.

I guess IOS firewall would be a better choice for this situation, but the
investment has already been made.

- Lee

-----Original Message-----
From: Strydom, Willie [mailto:WStrydom () fnb co za] 
Sent: Monday, February 02, 2004 00:12
To: 'DCSIM Subscriptions (IA)'; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Multiple world connections into PIX

you'll have top play with routing. I have seen a similar setup before, add
routes to outside_1 and outside_2 for the hosts that you wanna send there. 



-----Original Message-----
From: DCSIM Subscriptions (IA) [mailto:DCSIMSUBS () ia ngb army mil]
Sent: 28 January 2004 12:51
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Multiple world connections into PIX


Greetings.

I've run into an interesting problem on a PIX 515.  Here's a makeshift
diagram:

Warning! ASCII art!

outside_1              
--------------|-----|  inside_1       
              |     |------- 
outside_2     | PIX |        
--------------|     |-------
(Def. GW)     |-----|  inside_2     


LAN networks are NAT'd 10.x.
"World" networks are real addresses.

Effectively what I'm trying to do is make hosts on inside_1 use the
outside_1 network and inside_2 hosts use outside_2.  This would be
considered policy routing on a Cisco router.

So, when a connection is initiated from outside_1 to inside_1, it is built
correctly, according to the log.  However, when the return traffic is sent
back through the PIX, it tries to go out the default gateway, which is
outside_2, which does not have that connection established.

I believe I have all the NAT rules and access lists correct, but the PIX
keeps trying to use the same interface for outbound traffic.

So far I have only tried to solve this in the PDM.  I am hoping that there
are some commands in the CLI that will solve my problem.

Any ideas?

- Lee
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

____________________________________________________________________________
_______________________


The views expressed in this email are, unless otherwise stated, those of the
author and not those
of the FirstRand Banking Group or its management.  The information in this
e-mail is confidential
and is intended solely for the addressee. Access to this e-mail by anyone
else is unauthorised. 
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or 
omitted in reliance on this, is prohibited and may be unlawful.
Whilst all reasonable steps are taken to ensure the accuracy and integrity
of information and data 
transmitted electronically and to preserve the confidentiality thereof, no
liability or 
responsibility whatsoever is accepted if information or data is, for
whatever reason, corrupted 
or does not reach its intended destination.

                               ________________________________
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards