Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco PIX - all interfaces on same subnet - possible?

Posted on 2002-06-11
5
348 Views
Last Modified: 2013-11-16
hi guys,

Would like to ask you if Cisco PIX can do a "drop-in configuration mode" i.e. allows you to drop a firewall(Physically between the Internet router and the internal LAN) into an existing network without subnetting or changing the subnet of the LAN hosts.

Basically which means the network interfaces are all from the same IP / network segment.

Also, would also like to confirm the routing given that the above is possible:
(1) Outgoing: the default gw for the PIX going to be the router?
(2) Outgoing: the hosts default gw going to be the inside interface of the PIX?
(3) Incoming: how does it work from the router point-of-view? Any routing required here?

Pls advice..! Thxs








0
Comment
Question by:Haho
  • 2
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 7070015
No can do with PIX. Each interface must be a different subnet.
0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7071572
Hello Haho:
 Agree with Irmoore that you would need at least two subnet in order to define one security level being different than another.
 In answer to your other three questions:
1)Yes. You are correct in your thinking here.
2)Yes again you are correct.
3)Your router needs a default route to the Internet if that is way your going from here, or if still in an Intranet your routing may be static or dynamic depending on what you are trying to accomplish.
 Just as a suggestion to get around your dilemma of not having a second subnet, Perhaps you could try to use VLSM (variable length subnet masking) if your routing protocol supports it and if you aren't already. Depending on your IP addressing scheme at this time perhaps you could possibly provide a 2 IP address subnet just for your outside PIX interface and your router's Ethernet connected to it. Good luck, hope this helps Chriskohn
0
 
LVL 1

Author Comment

by:Haho
ID: 7071668
I found a posting that says that it can be on the same subnet.

Pls refer to:
http://www.geocrawler.com/archives/3/90/1997/5/0/373659/

> >We were informed that Cisco PIX 4.0 can perform the following :
> >1) PIX is transparent, the 2 network interfaces on PIX can be configured
> >   using IP addresses from the same network segment.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7071779
The date of that posting was over 5 years ago and also states:
> This really would not make sense...  if the internal and external
> networks are on the same segment, then there`s no point in having
> the firewall.

It still doesn't make sense.

PIX 4.0 has come a long way, baby. The whole concept of the PIX is that you have one network at one security level and other networks at either higher or lower security levels. You cannot have two interfaces at two different security levels on the same subnet.

My opionion has not changed. No can do. Sorry if you don't like it.
0
 
LVL 1

Author Comment

by:Haho
ID: 7072384
ok, thanks!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question