grayp1
asked on
Using a PIX, a Router with only one non-static IP address..
Hi Guys,
I bascially want to use my PIX 515 so I don't have to run Zone Alarm, et al. on each PC -- I've asked a few questions before, but i'm looking for a bit of advice as to the best way to set this up...
Here's the gear:
ADSL Single IP address (non-static)
Asus Router
Pix 515 F/W
Ethernet hub
3 pc's.
----
Here's the idea: (IP's changed to protect the innocent)
IP address is assigned by ISP, to the Asus router (65.195.235.30)
Asus router is then using NAT, and has an internal IP address, 10.0.0.1. PIX outside IP is set to 10.0.0.2.
(Theory: This means that the PIX can ping from 10.0.0.2 via 10.0.0.1 and out to 65.195.235.30 and beyond.. ?)
The PIX inside IP - 10.10.10.1 and runs NAT/DHCP to offer the client PCs an IP address in that range.
PC1 IP 10.10.10.10, PC2 IP 10.10.10.11, PC3 IP 10.10.10.12
So, PC1 goes through the PIX, which in turn goes through the Asus router and gets internet..
Question: Is this the best way of setting this up ? -- As I mentioned before, all I want is to be able to have the hardware f/w instead of running individual software firewalls.
Question: Any fatal flaws in my theory ?
I'm doing this to try and learn something about Cisco PIX's, so an answer like "don't bother with all that, just use Zone Alarm.." isn't really going to help me.. :)
Thanks for reading and a thousand thanks in advance for any (useful) advice offered! (and 200 pts for the best one :))
-grayp1
I bascially want to use my PIX 515 so I don't have to run Zone Alarm, et al. on each PC -- I've asked a few questions before, but i'm looking for a bit of advice as to the best way to set this up...
Here's the gear:
ADSL Single IP address (non-static)
Asus Router
Pix 515 F/W
Ethernet hub
3 pc's.
----
Here's the idea: (IP's changed to protect the innocent)
IP address is assigned by ISP, to the Asus router (65.195.235.30)
Asus router is then using NAT, and has an internal IP address, 10.0.0.1. PIX outside IP is set to 10.0.0.2.
(Theory: This means that the PIX can ping from 10.0.0.2 via 10.0.0.1 and out to 65.195.235.30 and beyond.. ?)
The PIX inside IP - 10.10.10.1 and runs NAT/DHCP to offer the client PCs an IP address in that range.
PC1 IP 10.10.10.10, PC2 IP 10.10.10.11, PC3 IP 10.10.10.12
So, PC1 goes through the PIX, which in turn goes through the Asus router and gets internet..
Question: Is this the best way of setting this up ? -- As I mentioned before, all I want is to be able to have the hardware f/w instead of running individual software firewalls.
Question: Any fatal flaws in my theory ?
I'm doing this to try and learn something about Cisco PIX's, so an answer like "don't bother with all that, just use Zone Alarm.." isn't really going to help me.. :)
Thanks for reading and a thousand thanks in advance for any (useful) advice offered! (and 200 pts for the best one :))
-grayp1
Is your ASUS router also your ADSL modem? If not, then it is probably unnecessary to use it now that you have a PIX.
At typical broadband connection is usually setup something like this:
ISP --> Broadband modem --> PIX --> HUB --> PCs
For example, in my home office, I use a PIX 501 for firewall protection. I have an ethernet connection coming from my cable modem which plugs directly into the outside interface of my PIX (no "router" needed). I use a simple default route in the PIX to pass traffic to the Internet. The outside interface of the PIX is assigned a public address by my ISP's DHCP server. The inside interface is on my 10.x.x.x network and acts as a DHCP server for my PCs. This setup works very well for me.
Remember though, the PIX is not meant to be a router, so if you are doing some specialized routing, then your setup looks fine. Otherwise, the router is unnecessary and actually poses a security concern (it's one more piece of equipment monitored for hack attempts).
Of course, this is all meaningless if the router is built into your ADSL modem. <<SHRUG>>
Good luck!
At typical broadband connection is usually setup something like this:
ISP --> Broadband modem --> PIX --> HUB --> PCs
For example, in my home office, I use a PIX 501 for firewall protection. I have an ethernet connection coming from my cable modem which plugs directly into the outside interface of my PIX (no "router" needed). I use a simple default route in the PIX to pass traffic to the Internet. The outside interface of the PIX is assigned a public address by my ISP's DHCP server. The inside interface is on my 10.x.x.x network and acts as a DHCP server for my PCs. This setup works very well for me.
Remember though, the PIX is not meant to be a router, so if you are doing some specialized routing, then your setup looks fine. Otherwise, the router is unnecessary and actually poses a security concern (it's one more piece of equipment monitored for hack attempts).
Of course, this is all meaningless if the router is built into your ADSL modem. <<SHRUG>>
Good luck!
ASKER
..thanks for replies back so far!
Just to add further details as required:
mbruner: My Asus Router IS also the ADSL Modem, sorry I didn't mention that before!
What I would like to do is the same as your setup:
Use the Asus Router/Modem to pass the traffic directly to the PIX, but I can't work out how I can do that ?
If I set the Asus router/modem into Bridged mode, what IP address do I have to assign to:
The Asus Router/Modem...?
The Outside Interface of the PIX...?
Yours confusedly,
Just to add further details as required:
mbruner: My Asus Router IS also the ADSL Modem, sorry I didn't mention that before!
What I would like to do is the same as your setup:
Use the Asus Router/Modem to pass the traffic directly to the PIX, but I can't work out how I can do that ?
If I set the Asus router/modem into Bridged mode, what IP address do I have to assign to:
The Asus Router/Modem...?
The Outside Interface of the PIX...?
Yours confusedly,
That's cool.
If you set the Asus to bridged mode, then it shouldn't be assigned an address. Instead, it will act like more of a hub (or bridge) than a router. The outside interface of the PIX will be assigned an IP address through DHCP exactly like the Asus was when it was setup in routing mode.
If you can't get that to work, you could always put the PIX in like you originally stated. Unfortunately, this means that your traffic will go through the NAT process within the PIX and within the router, which adds complexity and reduces throughput.
If you set the Asus to bridged mode, then it shouldn't be assigned an address. Instead, it will act like more of a hub (or bridge) than a router. The outside interface of the PIX will be assigned an IP address through DHCP exactly like the Asus was when it was setup in routing mode.
If you can't get that to work, you could always put the PIX in like you originally stated. Unfortunately, this means that your traffic will go through the NAT process within the PIX and within the router, which adds complexity and reduces throughput.
Okay, I have a question. Do you use NAT on the Asus to get everyone onto the internet, or, do you have some live IP addresses on the network that need to be available to the internet?
ASKER
I took a look at my Asus last night, and I can't use it as a "bridge" as such. :(
Mikecr: I do use NAT on the Asus so all the PCs can talk to the internet.
I only have 1 live IP address, which the Asus takes, so thats why I figured I needed to use NAT on the Asus to the outside interface on the Pix and then the Pix does NAT/DHCP to the machines on the network.
Okay, I'm with you now. Now I have another question. Why do you need a firewall? If you have no live IP's on your network and your natting your whole internal network to the internet, it is EXTREMELY hard to hack anything if you don't have anything to hack. Any external forces attempting to get into your network are going to be stopped at the router anyhow. The only advantage that you may get out of having a firewall is limiting places that the internal users can go and what traffic you will allow outbound. Was this what you were anticipating?
ASKER
Well, my need for a firewall isn't /really/ required, for the reasons you mentioned.. The goal of the project is basically to teach myself a bit about how the PIX works; I figured that fitting it "somewhere" into my small network was the best way of learning it...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all, especially MBruner, for help and advice.
I'll attempt to put it all together over the next few weeks and no doubt will be throwing up a few more questions!
cheers!
First of all, let me congratulate you on the choice of the Cisco PIX firewall. I use the 515 in my organization also. Yes there are more feature rich software based firewalls available, but the PIX is fast, and that's more important to me. Besides, it does what it advertises, and that's also good.
Anyway, as long as your setup works, it is the best way. Your basic setup looks fine, but without the configuration file, nobody will be able to help "tweak" your setup. Not that it's really necessary. Just follow Cisco's advice on securing your PIX and you should be OK. If you haven't already, check out the following link.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm