Solved

Using a PIX, a Router with only one non-static IP address..

Posted on 2002-07-22
10
330 Views
Last Modified: 2010-04-17
Hi Guys,

I bascially want to use my PIX 515 so I don't have to run Zone Alarm, et al. on each PC -- I've asked a few questions before, but i'm looking for a bit of advice as to the best way to set this up...

Here's the gear:
ADSL Single IP address (non-static)
Asus Router
Pix 515 F/W
Ethernet hub
3 pc's.

----

Here's the idea: (IP's changed to protect the innocent)

IP address is assigned by ISP, to the Asus router (65.195.235.30)

Asus router is then using NAT, and has an internal IP address, 10.0.0.1.  PIX outside IP is set to 10.0.0.2.

(Theory: This means that the PIX can ping from 10.0.0.2 via 10.0.0.1 and out to 65.195.235.30 and beyond.. ?)

The PIX inside IP - 10.10.10.1 and runs NAT/DHCP to offer the client PCs an IP address in that range.

PC1 IP 10.10.10.10, PC2 IP 10.10.10.11, PC3 IP 10.10.10.12

So, PC1 goes through the PIX, which in turn goes through the Asus router and gets internet..

Question: Is this the best way of setting this up ? -- As I mentioned before, all I want is to be able to have the hardware f/w instead of running individual software firewalls.

Question: Any fatal flaws in my theory ?

I'm doing this to try and learn something about Cisco PIX's, so an answer like "don't bother with all that, just use Zone Alarm.." isn't really going to help me.. :)

Thanks for reading and a thousand thanks in advance for any (useful) advice offered! (and 200 pts for the best one :))

-grayp1

0
Comment
Question by:grayp1
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 2

Expert Comment

by:edmonds_robert
ID: 7169376
Grayp1,
First of all, let me congratulate you on the choice of the Cisco PIX firewall.  I use the 515 in my organization also.  Yes there are more feature rich software based firewalls available, but the PIX is fast, and that's more important to me.  Besides, it does what it advertises, and that's also good.
Anyway, as long as your setup works, it is the best way.  Your basic setup looks fine, but without the configuration file, nobody will be able to help "tweak" your setup.  Not that it's really necessary.  Just follow Cisco's advice on securing your PIX and you should be OK.  If you haven't already, check out the following link.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm

0
 
LVL 3

Expert Comment

by:mbruner
ID: 7169492
Is your ASUS router also your ADSL modem?  If not, then it is probably unnecessary to use it now that you have a PIX.  

At typical broadband connection is usually setup something like this:
ISP --> Broadband modem --> PIX --> HUB --> PCs

For example, in my home office, I use a PIX 501 for firewall protection.  I have an ethernet connection coming from my cable modem which plugs directly into the outside interface of my PIX (no "router" needed).  I use a simple default route in the PIX to pass traffic to the Internet.  The outside interface of the PIX is assigned a public address by my ISP's DHCP server.  The inside interface is on my 10.x.x.x network and acts as a DHCP server for my PCs.  This setup works very well for me.

Remember though, the PIX is not meant to be a router, so if you are doing some specialized routing, then your setup looks fine.  Otherwise, the router is unnecessary and actually poses a security concern (it's one more piece of equipment monitored for hack attempts).

Of course, this is all meaningless if the router is built into your ADSL modem.  <<SHRUG>>  

Good luck!

0
 

Author Comment

by:grayp1
ID: 7169518
..thanks for replies back so far!

Just to add further details as required:

mbruner: My Asus Router IS also the ADSL Modem, sorry I didn't mention that before!

What I would like to do is the same as your setup:
Use the Asus Router/Modem to pass the traffic directly to the PIX, but I can't work out how I can do that ?

If I set the Asus router/modem into Bridged mode, what IP address do I have to assign to:

The Asus Router/Modem...?
The Outside Interface of the PIX...?

Yours confusedly,





0
 
LVL 3

Expert Comment

by:mbruner
ID: 7169577
That's cool.  

If you set the Asus to bridged mode, then it shouldn't be assigned an address.  Instead, it will act like more of a hub (or bridge) than a router.  The outside interface of the PIX will be assigned an IP address through DHCP exactly like the Asus was when it was setup in routing mode.

If you can't get that to work, you could always put the PIX in like you originally stated.  Unfortunately, this means that your traffic will go through the NAT process within the PIX and within the router, which adds complexity and reduces throughput.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7171611
Okay, I have a question. Do you use NAT on the Asus to get everyone onto the internet, or, do you have some live IP addresses on the network that need to be available to the internet?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:grayp1
ID: 7171623

I took a look at my Asus last night, and I can't use it as a "bridge" as such. :(

Mikecr: I do use NAT on the Asus so all the PCs can talk to the internet.  

I only have 1 live IP address, which the Asus takes, so thats why I figured I needed to use NAT on the Asus to the outside interface on the Pix and then the Pix does NAT/DHCP to the machines on the network.



0
 
LVL 17

Expert Comment

by:mikecr
ID: 7171673
Okay, I'm with you now. Now I have another question. Why do you need a firewall? If you have no live IP's on  your network and your natting your whole internal network to the internet, it is EXTREMELY hard to hack anything if you don't have anything to hack. Any external forces attempting to get into your network are going to be stopped at the router anyhow. The only advantage that you may get out of having a firewall is limiting places that the internal users can go and what traffic you will allow outbound. Was this what you were anticipating?
0
 

Author Comment

by:grayp1
ID: 7171786

Well, my need for a firewall isn't /really/ required, for the reasons you mentioned.. The goal of the project is basically to teach myself a bit about how the PIX works; I figured that fitting it "somewhere" into my small network was the best way of learning it...
0
 
LVL 3

Accepted Solution

by:
mbruner earned 200 total points
ID: 7171958
That's okay.  You can still set it up the way you originally described.  However, depending on how functional your ASUS router is, you will probably have to do a double NAT on your data (once as it traverses the PIX and once as it traverses the router).  This may gum up some multimedia applications and such, but for the most part, it should work fine.  

I'll try to diagram an example setup below.

.    ISP
.     |
.     | Public Address
.   ASUS
.     |.1
.     |
.|-------------------| 10.10.1.0/24
.     |          |
.     |.2        |.3
.    PIX        PC
.     |.1
.     |
.|-------------------| 192.168.1.0/24
.  |              |
.  |.2            |.3
. PC             PC

This setup will allow you to play with a lot of the NAT options, like one-to-one NATs, PAT, and combinations of both NAT and PAT.  You can also put your PC's in multiple places on the network to test data traversal through the PIX (I've shown a couple above).  

All in all, its a pretty good setup for learning.  Try it out and let us know if you run across any problems.
0
 

Author Comment

by:grayp1
ID: 7171988

Thanks all, especially MBruner, for help and advice.

I'll attempt to put it all together over the next few weeks and no doubt will be throwing up a few more questions!

cheers!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now