Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Pix Asymmetric Routing and a multihomed server (http://www.velocityreviews.com/forums/t36862-pix-asymmetric-routing-and-a-multihomed-server.html)

Alex 12-26-2004 04:10 PM

Pix Asymmetric Routing and a multihomed server
 
I have a Pix506 with one outside interface (public ip address block) and 2
VLANs on the inside interface (one physical and one logical). One VLAN is
the inside interface and the other DMZ. There is a managed switch is there
to compelete the picture but not relevant to this question. Now, I have
setup static NAT for the web server on the DMZ. Here is the twist: The
webserver is actually a multi-homed Win2K3 server with one NIC on the DMZ
subnet and the other on the Inside subnet. With this config, outside users
cannot hit the webserver. Logs reveal that a xlate is created on the DMZ
interface, but the return packet shows up on the Inside interface for which
there is no xlate and the Pix drops it. This is because the multi-homed
server has the Inside interface as its default gateway. Also, I have tested
with a standalone server on the DMZ that has the DMZ interface as the
default gateway and everything works fine.

So here is the question: Is there a config on the Pix to allow for this
asymmetric situation OTHER than reverse NAT/PAT? Alternatively, is there a
W2K3 server config to make the incoming packets on a NIC go out a certain
gateway instead of the default one (i.e. policy route)?

Thanks.

Alex.




Andrey Tarasov 12-26-2004 05:25 PM

Re: Pix Asymmetric Routing and a multihomed server
 
Hello, Alex!
You wrote on Sun, 26 Dec 2004 16:10:53 GMT:

A> So here is the question: Is there a config on the Pix to allow for this
A> asymmetric situation OTHER than reverse NAT/PAT? Alternatively,
A> is there a W2K3 server config to make the incoming packets on a
A> NIC go out a certain gateway instead of the default one (i.e.
A> policy route)?

Why would you need a default gateway configured on inside NIC? Configure default
gateway on DMZ NIC and leave this field empty on inside NIC.

With best regards,
Andrey.


PES 12-26-2004 06:36 PM

Re: Pix Asymmetric Routing and a multihomed server
 
Alex wrote:
> I have a Pix506 with one outside interface (public ip address block) and 2
> VLANs on the inside interface (one physical and one logical). One VLAN is
> the inside interface and the other DMZ. There is a managed switch is there
> to compelete the picture but not relevant to this question. Now, I have
> setup static NAT for the web server on the DMZ. Here is the twist: The
> webserver is actually a multi-homed Win2K3 server with one NIC on the DMZ
> subnet and the other on the Inside subnet. With this config, outside users
> cannot hit the webserver. Logs reveal that a xlate is created on the DMZ
> interface, but the return packet shows up on the Inside interface for which
> there is no xlate and the Pix drops it. This is because the multi-homed
> server has the Inside interface as its default gateway. Also, I have tested
> with a standalone server on the DMZ that has the DMZ interface as the
> default gateway and everything works fine.
>
> So here is the question: Is there a config on the Pix to allow for this
> asymmetric situation OTHER than reverse NAT/PAT? Alternatively, is there a
> W2K3 server config to make the incoming packets on a NIC go out a certain
> gateway instead of the default one (i.e. policy route)?
>
> Thanks.
>
> Alex.
>
>
>


The pix will not permit this, nor should it. Best design would be not
to multihome your windows box, this could allow it to bypass the pix if
it is compromised. Anyway, you can point the default route out the dmz
interface. You can use the route add command to add routes to any
internal networks. For example:

route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.1


--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13

Alex 01-02-2005 01:53 AM

Re: Pix Asymmetric Routing and a multihomed server
 
Thanks that worked.
Alex.

"Andrey Tarasov" <andyvt@email.com> wrote in message
news:cqms4n$cg8$1@news.aha.ru...
> Hello, Alex!
> You wrote on Sun, 26 Dec 2004 16:10:53 GMT:
>
> A> So here is the question: Is there a config on the Pix to allow for
> this
> A> asymmetric situation OTHER than reverse NAT/PAT? Alternatively,
> A> is there a W2K3 server config to make the incoming packets on a
> A> NIC go out a certain gateway instead of the default one (i.e.
> A> policy route)?
>
> Why would you need a default gateway configured on inside NIC? Configure
> default
> gateway on DMZ NIC and leave this field empty on inside NIC.
>
> With best regards,
> Andrey.
>





All times are GMT. The time now is 07:01 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.