• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

few clarifications

Hello Experts
Here is brief introduction of my client's setup and then i will ask you a few queries

There are 50 workstations in the client's network .
They connect to the internet through the router through isdn wan line.

router's isdn interface has no static address.
It neogiates with the isp router to obtain an IP address.
router blocks all kind of traffic except smtp  through access-lists.

Now the client has brought a Cisco pix 506E firewall for more security.
and has asked me to configure it for him.

My queries are.

Does the client need to buy static Ip addresses to be assigned to the outside
interfaces of firewall and router.
If no then what is the alternative.

Already www ,telnet etc are blocked through router's access-lists
 what all other security features can be enhanced with the firewall.


  • 6
  • 5
1 Solution
The PIX should connect to the LAN side of the router and the LAN goes on the inside of that. You don't need to change the router address. You can set up a small private network between the router and the PIX and move the LAN default gateway to the PIX.

The router is doing packet filtering. the PIX is a stateful firewall that will be a lot tighter. You should use both, as the router will screen out the obvious stuff the tne PIX will get the rest.
sirdesaiAuthor Commented:
Thanks for your prompt answer

After reading your answer i made  following conclusions

pix inside interface will connect to lan and outside interface to router's interface
  and router as usual connects to the internet through its outsidr interface.

I wud also like to ask the connection between the rouetr and pix shud be a direct connection
using cross cable or through the network using straight cable.

 if the lan address is then i can form a private network between the pix and router
using .I do not require static IP address.

what does stateful firewall mean.


You've got it right.

Unless you have a need now to put something else on the same LAN as the PIX-router connection you might as well just use a x-over cable between them. You can always put a switch or hub in there later if you have a need for a mail relay or other equipment, an IDS probe, or whatever. Your proposed 192.168.100 subnet leaves more than enough room for future growth without having to make interface address changes.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Oh- stateful firewall means the firewall keeps all active sessions in memory so it has a much better idea of what packets don't belong in your network. It doesn't just check that inbound packets match the rules for inbound packets like an access list does. It also watches the outbound packets and makes sure that return traffic for allowed outbound sessions is automatically allowed, even if you didn't specifically allow it.

This eliminates the need to open holes in your firewall for, say, tcp established. Anyone can forge a packet with the ack bit set and "permit tcp any any established" in a regular access list would allow it. A stateful firewall won't allow a tcp packet with the ack bit set unless it is part of a session that was ongoing. You don't make a rule to allow it, it allows them automatically as needed.

Does that make sense?
sirdesaiAuthor Commented:

thanks fir your answer but I have still not got the benefits of a firewall ...like  how it makes a network more secure when i have a router which filters most of the traffic through its access-lists..

in short i have not the meaning of stateful firewall and its benefit.

OK. Here's a simple example:

You want to allow return traffic for your web surfers. So you put in the line "permit tcp any any established." So far, so good. You're allowing inbound tcp traffic, but only if the traffic belongs to a session initiated by one of your users.

How does the router determine if the traffic is "established?" It looks for a bit in the TCP header called the ACK bit, which when set to 1 means that the packet is part of an existing session. So basically you are letting in any TCP packet that has the ACK bit set to 1. If I as a Bad Guy want to cause a denial of service inside your network, all I have to do is flood one of your inside servers with a bunch of packets with the ACK bit set and your router will allow them all through. This is because it essentially looks at each packet individually and makes a decision based on the rules you set.

A stateful firewall looks deeper. It keeps track of every current "conversation" your users are having with the outside world and examines inbound packets to see if they actually belong to these conversation. A stateful firewall would look at those packets with the ACK bit set. It would say (in firewallese) "Hmmm, these packets do not relate to any existing outbound sessions I know about. ACK or no ACK, I'm not letting them in because they obviously don't belong here."

Does that help?
sirdesaiAuthor Commented:
Hi  mikebernhardt
I would like to know how the firewall know whether inbound packet belomgs to any of the current

I will be gratful also if u tell me  how three way shake is helpful  during conversations

I know i goin out of track.

thanks and regards

1. They all do it a little differently, but they just keep track of what is going out and see if what is going in relates to what has gone out. They may look at sockets (IP address + TCP or UDP port) or they may look at TCP sequence numbers.

2. Here's a link that explains the 3-way handshake

This is a lot of help for 50 points!
sirdesaiAuthor Commented:
hi  mikebernhardt

First of all i will be increasing the points for this qoestion

as i told you i have a network with a router  and firewall .
Router is the final device in my  network.

firewall inside interface address is

firewall outside interface address is connected to router inside interface

this is how i have configured my firewall'

nameif ethernet0 outside security0
nameif ethernet1 outside security100
interface ethernet0 100full
inerface ethernet1 100full
ip address inside
ip address outside
nat (inside) 0 0 0
route outside 0 0 1

write memory

Then in the router i did this

int ethernet 0
ip address

router rip

write memory

Please tell whether this will be alright

please mail me

I am also increasing the points


sirdesaiAuthor Commented:
also i ahve added

access-list acl_in permit any any

access-group acl_in  in interface inside

 access-group acl_in  in interface outside
Somehow I missed your earlier comments. Thanks for accepting my answer, but I want to make a minor suggestion:

It's a good idea to not use dynamic routing in a firewall area. You shouldn't run RIP on your outside router at all. Just have a static route to your inside network:

and on the PIX, have the static default route

I assume that you already have a static route to your ISP on the router, that would of course stay there.

The problem is that is someone might be able to send false RIP routes into your router and then you're hosed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now