PIX/Linux/ADSL2 Routing/NAT Issue.

Discussion in 'Cisco' started by Skymaster, Sep 7, 2006.

  1. Skymaster

    Skymaster Guest

    Gday all....
    got a few q's on how to properly implement & correct a routing problem
    i have.
    Consider the following physical network:

    LAN --- (Switch) --- Linux --- (Switch) --- ADSL2+ Modem
    +------ PIX -------+

    Linux Int -, Ext-
    PIX Int -, Ext-
    ADSL -
    ADSL External has static IP -

    The LAN has the Linux box as its default gateway. This linux box is
    NAT'ing this into the External Network, and the ADSL2 modem is NAT'ing
    the external to the Internet.

    The External interface of the PIX is defined as the 'DMZ' host in the
    ADSL modem, so it receives all requests hitting the external interface.
    This PIX then forwards on the requests to the appropriate LAN server
    (mail + web etc). This PIX is also a PPTP/IPSEC Vpn server to allow
    internet users to log into the LAN.

    Now...why do it like this? I want the IPSec/Firewall features of the
    PIX, but the PIX is a 10 user 501, which only has 10mbit interfaces,
    and my ADSL2 connection is 24mbit, and I have around 30 machines on the

    Now, the problem. All the LAN users have no hassles accessing the
    internet correctly. External services though...this is the issue. When
    a user, for example, connects to port 25 for a SMTP session, hits the address, the pix forwards it on to the correct server. When the
    TCP stack on that server replies with its SYN/ACK though, it gets sent
    back via the Linux machine, being the default route. This confuses the
    ADSL modem, which treats it as a new packet, re-nat's it, and sends to
    back to the user. The user's machine then replies with a RST because it
    doesnt understand what the hell is going on. Hence the connection
    fails. What to do?
    I am puzzled. Any help would be fantastic - cheers!!
    Skymaster, Sep 7, 2006
    1. Advertisements

  2. FYI, The 10 Mbit outside interface restriction was removed in 6.3(1).
    (But the 10 user license remained unchanged.)
    Walter Roberson, Sep 7, 2006
    1. Advertisements

  3. Skymaster

    Skymaster Guest

    Is there somewhere I can get a copy of this easily? Or would it involve
    me handing over money to Cisco?
    Skymaster, Sep 7, 2006
  4. It depends on what your current version is. If you are in PIX 6.2 now
    then you -might- be able to wrangle it through judicious use of
    the PIX Security Advisories, but you'd need to look at them carefully
    and be prepared to argue your case. (Security Advisories don't normally
    allow you to upgrade.)
    Walter Roberson, Sep 7, 2006
  5. Skymaster

    Dom Guest

    Two nats is one too many. NAT at the edge of the network only.
    Dom, Sep 8, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.