PIX/Linux/ADSL2 Routing/NAT Issue.

Discussion in 'Cisco' started by Skymaster, Sep 7, 2006.

  1. Skymaster

    Skymaster Guest

    Gday all....
    got a few q's on how to properly implement & correct a routing problem
    i have.
    Consider the following physical network:


    LAN --- (Switch) --- Linux --- (Switch) --- ADSL2+ Modem
    +------ PIX -------+


    Linux Int - 172.30.1.254, Ext- 172.30.250.254
    PIX Int - 172.30.1.251, Ext- 172.30.250.251
    ADSL - 172.30.250.250
    ADSL External has static IP - 1.2.3.4

    The LAN has the Linux box as its default gateway. This linux box is
    NAT'ing this into the External Network, and the ADSL2 modem is NAT'ing
    the external to the Internet.

    The External interface of the PIX is defined as the 'DMZ' host in the
    ADSL modem, so it receives all requests hitting the external interface.
    This PIX then forwards on the requests to the appropriate LAN server
    (mail + web etc). This PIX is also a PPTP/IPSEC Vpn server to allow
    internet users to log into the LAN.

    Now...why do it like this? I want the IPSec/Firewall features of the
    PIX, but the PIX is a 10 user 501, which only has 10mbit interfaces,
    and my ADSL2 connection is 24mbit, and I have around 30 machines on the
    LAN.

    Now, the problem. All the LAN users have no hassles accessing the
    internet correctly. External services though...this is the issue. When
    a user, for example, connects to port 25 for a SMTP session, hits the
    1.2.3.4 address, the pix forwards it on to the correct server. When the
    TCP stack on that server replies with its SYN/ACK though, it gets sent
    back via the Linux machine, being the default route. This confuses the
    ADSL modem, which treats it as a new packet, re-nat's it, and sends to
    back to the user. The user's machine then replies with a RST because it
    doesnt understand what the hell is going on. Hence the connection
    fails. What to do?
    I am puzzled. Any help would be fantastic - cheers!!
     
    Skymaster, Sep 7, 2006
    #1
    1. Advertising

  2. In article <>,
    Skymaster <> wrote:
    >Now...why do it like this? I want the IPSec/Firewall features of the
    >PIX, but the PIX is a 10 user 501, which only has 10mbit interfaces,
    >and my ADSL2 connection is 24mbit, and I have around 30 machines on the
    >LAN.


    FYI, The 10 Mbit outside interface restriction was removed in 6.3(1).
    (But the 10 user license remained unchanged.)
     
    Walter Roberson, Sep 7, 2006
    #2
    1. Advertising

  3. Skymaster

    Skymaster Guest

    Is there somewhere I can get a copy of this easily? Or would it involve
    me handing over money to Cisco?


    Walter Roberson wrote:
    > In article <>,
    > Skymaster <> wrote:
    > >Now...why do it like this? I want the IPSec/Firewall features of the
    > >PIX, but the PIX is a 10 user 501, which only has 10mbit interfaces,
    > >and my ADSL2 connection is 24mbit, and I have around 30 machines on the
    > >LAN.

    >
    > FYI, The 10 Mbit outside interface restriction was removed in 6.3(1).
    > (But the 10 user license remained unchanged.)
     
    Skymaster, Sep 7, 2006
    #3
  4. In article <>,
    Skymaster <> wrote:
    [PIX 6.3(1)]

    >Is there somewhere I can get a copy of this easily? Or would it involve
    >me handing over money to Cisco?


    It depends on what your current version is. If you are in PIX 6.2 now
    then you -might- be able to wrangle it through judicious use of
    the PIX Security Advisories, but you'd need to look at them carefully
    and be prepared to argue your case. (Security Advisories don't normally
    allow you to upgrade.)
     
    Walter Roberson, Sep 7, 2006
    #4
  5. Skymaster

    Dom Guest

    On Wed, 2006-09-06 at 21:28 -0700, Skymaster wrote:
    > LAN --- (Switch) --- Linux --- (Switch) --- ADSL2+ Modem
    > +------ PIX -------+


    > This linux box is
    > NAT'ing this into the External Network, and the ADSL2 modem is NAT'ing
    > the external to the Internet.


    Two nats is one too many. NAT at the edge of the network only.
     
    Dom, Sep 8, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Albert
    Replies:
    1
    Views:
    3,953
    Rod Dorman
    Feb 8, 2005
  2. Replies:
    1
    Views:
    497
    Walter Roberson
    Jun 22, 2005
  3. Jonathan Haase

    Weird NAT/Routing Issue.

    Jonathan Haase, May 2, 2006, in forum: Cisco
    Replies:
    3
    Views:
    4,116
    sharman
    May 19, 2007
  4. mak
    Replies:
    5
    Views:
    3,278
    ciscosec
    Sep 29, 2006
  5. Bobs
    Replies:
    4
    Views:
    637
Loading...

Share This Page