Pix Asymmetric Routing and a multihomed server

Discussion in 'Cisco' started by Alex, Dec 26, 2004.

  1. Alex

    Alex Guest

    I have a Pix506 with one outside interface (public ip address block) and 2
    VLANs on the inside interface (one physical and one logical). One VLAN is
    the inside interface and the other DMZ. There is a managed switch is there
    to compelete the picture but not relevant to this question. Now, I have
    setup static NAT for the web server on the DMZ. Here is the twist: The
    webserver is actually a multi-homed Win2K3 server with one NIC on the DMZ
    subnet and the other on the Inside subnet. With this config, outside users
    cannot hit the webserver. Logs reveal that a xlate is created on the DMZ
    interface, but the return packet shows up on the Inside interface for which
    there is no xlate and the Pix drops it. This is because the multi-homed
    server has the Inside interface as its default gateway. Also, I have tested
    with a standalone server on the DMZ that has the DMZ interface as the
    default gateway and everything works fine.

    So here is the question: Is there a config on the Pix to allow for this
    asymmetric situation OTHER than reverse NAT/PAT? Alternatively, is there a
    W2K3 server config to make the incoming packets on a NIC go out a certain
    gateway instead of the default one (i.e. policy route)?

    Thanks.

    Alex.
     
    Alex, Dec 26, 2004
    #1
    1. Advertising

  2. Hello, Alex!
    You wrote on Sun, 26 Dec 2004 16:10:53 GMT:

    A> So here is the question: Is there a config on the Pix to allow for this
    A> asymmetric situation OTHER than reverse NAT/PAT? Alternatively,
    A> is there a W2K3 server config to make the incoming packets on a
    A> NIC go out a certain gateway instead of the default one (i.e.
    A> policy route)?

    Why would you need a default gateway configured on inside NIC? Configure default
    gateway on DMZ NIC and leave this field empty on inside NIC.

    With best regards,
    Andrey.
     
    Andrey Tarasov, Dec 26, 2004
    #2
    1. Advertising

  3. Alex

    PES Guest

    Alex wrote:
    > I have a Pix506 with one outside interface (public ip address block) and 2
    > VLANs on the inside interface (one physical and one logical). One VLAN is
    > the inside interface and the other DMZ. There is a managed switch is there
    > to compelete the picture but not relevant to this question. Now, I have
    > setup static NAT for the web server on the DMZ. Here is the twist: The
    > webserver is actually a multi-homed Win2K3 server with one NIC on the DMZ
    > subnet and the other on the Inside subnet. With this config, outside users
    > cannot hit the webserver. Logs reveal that a xlate is created on the DMZ
    > interface, but the return packet shows up on the Inside interface for which
    > there is no xlate and the Pix drops it. This is because the multi-homed
    > server has the Inside interface as its default gateway. Also, I have tested
    > with a standalone server on the DMZ that has the DMZ interface as the
    > default gateway and everything works fine.
    >
    > So here is the question: Is there a config on the Pix to allow for this
    > asymmetric situation OTHER than reverse NAT/PAT? Alternatively, is there a
    > W2K3 server config to make the incoming packets on a NIC go out a certain
    > gateway instead of the default one (i.e. policy route)?
    >
    > Thanks.
    >
    > Alex.
    >
    >
    >


    The pix will not permit this, nor should it. Best design would be not
    to multihome your windows box, this could allow it to bypass the pix if
    it is compromised. Anyway, you can point the default route out the dmz
    interface. You can use the route add command to add routes to any
    internal networks. For example:

    route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.1


    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Dec 26, 2004
    #3
  4. Alex

    Alex Guest

    Thanks that worked.
    Alex.

    "Andrey Tarasov" <> wrote in message
    news:cqms4n$cg8$...
    > Hello, Alex!
    > You wrote on Sun, 26 Dec 2004 16:10:53 GMT:
    >
    > A> So here is the question: Is there a config on the Pix to allow for
    > this
    > A> asymmetric situation OTHER than reverse NAT/PAT? Alternatively,
    > A> is there a W2K3 server config to make the incoming packets on a
    > A> NIC go out a certain gateway instead of the default one (i.e.
    > A> policy route)?
    >
    > Why would you need a default gateway configured on inside NIC? Configure
    > default
    > gateway on DMZ NIC and leave this field empty on inside NIC.
    >
    > With best regards,
    > Andrey.
    >
     
    Alex, Jan 2, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Wladimir Mutel
    Replies:
    3
    Views:
    1,937
  2. SarojDey

    Asymmetric Routing using router

    SarojDey, Mar 31, 2006, in forum: Cisco
    Replies:
    5
    Views:
    6,311
  3. Agustin
    Replies:
    3
    Views:
    819
    Agustin
    Sep 5, 2006
  4. linguafr

    nat and asymmetric routing

    linguafr, Apr 23, 2007, in forum: Cisco
    Replies:
    2
    Views:
    1,672
    linguafr
    Apr 24, 2007
  5. Alex Walker

    Setting up a multihomed server.

    Alex Walker, Mar 14, 2007, in forum: MCSA
    Replies:
    3
    Views:
    908
    Dragon Without Wings
    Mar 14, 2007
Loading...

Share This Page