Scenario :- I had installed 2 pix 515 (primary and failover) behind my internet router . My inside network is having 2 WAN routers(with private ip addresses) connecting to 2 different sites(with private ip addresses) . The only way for them to access the internet is to go through current firewall

Requirement:- Now i want to install 2 more pix (primary and failover) behind these 2 wan routers to protect my inside netwok . So they can access only servers in their own dmz and connect to the internet

Before configuring anything on these new PIX i wana confirm the steps with you which i will perform .
-I have to give 2 static routes to these 2 WAN routers so inside users can connect to these 2 sites
-Have to disable NAT
-configure static for dmz servers and apply access list to it .

Please tell me what other steps i need in order to configure the new pix and please tell me how should i allow both the WAN site user to by pass both the PIX firewalls in order to use the internet .Required topology is like this :-

Users-Wan router(inside network)-Pix Firewall(inside network)-Pix Firewall(connecting to internet router)-Internet router . So overall there are 4 hops from WAN site users to internet .

If you need more clarification please let me know

__________________
Success is journey not destination
www.islamformankind.com

Report this post to a moderator

1 thing i can think of is when you have 2 pix in line you have to disable tcp randomization on the 2nd one or they will confuse each other as state info passes from the outside.

__________________
http://www.cisco.com/univercd/

Report this post to a moderator

Darthfaces can you please give me the exact link about that ? So i can read in more details ? And if you have any link mentioning about such scenario configurations please give me that too .

__________________
Success is journey not destination
www.islamformankind.com

Report this post to a moderator

see norandomseq

nat
Associate a network with a pool of global IP addresses. (Configuration mode.)


Configure with the command... Remove with the command...
nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [conn_limit [em_limit]]] no nat [(if_name)] id address [netmask [outside]
nat [(if_name)] 0 access-list acl_name no nat [(if_name)] 0 [access-list acl_name]




Show command options Show command output
show nat Displays the nat command statements in the current configuration.




Syntax Description

access-list
Associates access-list command statements to the nat 0 command and exempts traffic that matches the access-list from NAT processing.

acl_name
The access list name.

clear nat
Removes nat command statements from the configuration.

conn_limit
The connection time limit.

dns
Specifies that DNS replies that match the xlate are translated.

em_limit
The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems.

hh:mm:ss
The timeout interval for the translation slot. However, timeout only occurs if no TCP or UDP connection is actively using the translation.

id
The id number to match with the global address pool.

if_name
The internal network interface name.

local_ip
Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.

max_conns
The maximum TCP connections permitted from the interface you specify.

nat_id
nat_id values can be 0, 0 access list acl_name, or a number greater than zero (0).

A nat_id that is 0 specifies the inside hosts for identity translation. Identity translations are translations that map an address to itself. The restriction is that the traffic must initiate from an inside host.

A nat_id that is 0 access list acl_name specifies the traffic to exempt from NAT processing, based on the access list specified by acl_name. This is useful in Virtual Private Network (VPN) configuration where traffic between private networks should be exempted from NAT.

A nat_id that is a number greater than zero (0) specifies the inside hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool created with the global command, so the nat_id number must match the global_id number of the global address pool you want to use for dynamic address translation.

netmask
Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool. The netmask 0.0.0.0 can be abbreviated as 0.

norandomseq
Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Using this option disables TCP Initial Sequence Number (ISN) randomization protection. Without this protection, inside hosts with weak self-ISN protection become more vulnerable to TCP connection hijacking.

outside
Specifies that the nat command apply to the outside interface address. For access control, IPSec, and AAA use the real outside address.

timeout
Sets the idle timeout value for the translation slot.

__________________
http://www.cisco.com/univercd/

Report this post to a moderator