Go Premium for a chance to win a PS4. Enter to Win


few clarifications

Posted on 2004-04-29
Medium Priority
Last Modified: 2010-04-17

Hello Experts
Here is brief introduction of my client's setup and then i will ask you a few queries

There are 50 workstations in the client's network .
They connect to the internet through the router through isdn wan line.

router's isdn interface has no static address.
It neogiates with the isp router to obtain an IP address.
router blocks all kind of traffic except smtp  through access-lists.

Now the client has brought a Cisco pix 506E firewall for more security.
and has asked me to configure it for him.

My queries are.

Does the client need to buy static Ip addresses to be assigned to the outside
interfaces of firewall and router.
If no then what is the alternative.

Already www ,telnet etc are blocked through router's access-lists
 what all other security features can be enhanced with the firewall.


Question by:sirdesai
  • 6
  • 5
LVL 28

Accepted Solution

mikebernhardt earned 400 total points
ID: 10951731
The PIX should connect to the LAN side of the router and the LAN goes on the inside of that. You don't need to change the router address. You can set up a small private network between the router and the PIX and move the LAN default gateway to the PIX.

The router is doing packet filtering. the PIX is a stateful firewall that will be a lot tighter. You should use both, as the router will screen out the obvious stuff the tne PIX will get the rest.

Author Comment

ID: 10956863
Thanks for your prompt answer

After reading your answer i made  following conclusions

pix inside interface will connect to lan and outside interface to router's interface
  and router as usual connects to the internet through its outsidr interface.

I wud also like to ask the connection between the rouetr and pix shud be a direct connection
using cross cable or through the network using straight cable.

 if the lan address is then i can form a private network between the pix and router
using .I do not require static IP address.

what does stateful firewall mean.


LVL 28

Expert Comment

ID: 10961452
You've got it right.

Unless you have a need now to put something else on the same LAN as the PIX-router connection you might as well just use a x-over cable between them. You can always put a switch or hub in there later if you have a need for a mail relay or other equipment, an IDS probe, or whatever. Your proposed 192.168.100 subnet leaves more than enough room for future growth without having to make interface address changes.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 28

Expert Comment

ID: 10961548
Oh- stateful firewall means the firewall keeps all active sessions in memory so it has a much better idea of what packets don't belong in your network. It doesn't just check that inbound packets match the rules for inbound packets like an access list does. It also watches the outbound packets and makes sure that return traffic for allowed outbound sessions is automatically allowed, even if you didn't specifically allow it.

This eliminates the need to open holes in your firewall for, say, tcp established. Anyone can forge a packet with the ack bit set and "permit tcp any any established" in a regular access list would allow it. A stateful firewall won't allow a tcp packet with the ack bit set unless it is part of a session that was ongoing. You don't make a rule to allow it, it allows them automatically as needed.

Does that make sense?

Author Comment

ID: 10972349

thanks fir your answer but I have still not got the benefits of a firewall ...like  how it makes a network more secure when i have a router which filters most of the traffic through its access-lists..

in short i have not the meaning of stateful firewall and its benefit.

LVL 28

Expert Comment

ID: 10979629
OK. Here's a simple example:

You want to allow return traffic for your web surfers. So you put in the line "permit tcp any any established." So far, so good. You're allowing inbound tcp traffic, but only if the traffic belongs to a session initiated by one of your users.

How does the router determine if the traffic is "established?" It looks for a bit in the TCP header called the ACK bit, which when set to 1 means that the packet is part of an existing session. So basically you are letting in any TCP packet that has the ACK bit set to 1. If I as a Bad Guy want to cause a denial of service inside your network, all I have to do is flood one of your inside servers with a bunch of packets with the ACK bit set and your router will allow them all through. This is because it essentially looks at each packet individually and makes a decision based on the rules you set.

A stateful firewall looks deeper. It keeps track of every current "conversation" your users are having with the outside world and examines inbound packets to see if they actually belong to these conversation. A stateful firewall would look at those packets with the ACK bit set. It would say (in firewallese) "Hmmm, these packets do not relate to any existing outbound sessions I know about. ACK or no ACK, I'm not letting them in because they obviously don't belong here."

Does that help?

Author Comment

ID: 10985212
Hi  mikebernhardt
I would like to know how the firewall know whether inbound packet belomgs to any of the current

I will be gratful also if u tell me  how three way shake is helpful  during conversations

I know i goin out of track.

thanks and regards

LVL 28

Expert Comment

ID: 10988141
1. They all do it a little differently, but they just keep track of what is going out and see if what is going in relates to what has gone out. They may look at sockets (IP address + TCP or UDP port) or they may look at TCP sequence numbers.

2. Here's a link that explains the 3-way handshake

This is a lot of help for 50 points!

Author Comment

ID: 11115664
hi  mikebernhardt

First of all i will be increasing the points for this qoestion

as i told you i have a network with a router  and firewall .
Router is the final device in my  network.

firewall inside interface address is

firewall outside interface address is connected to router inside interface

this is how i have configured my firewall'

nameif ethernet0 outside security0
nameif ethernet1 outside security100
interface ethernet0 100full
inerface ethernet1 100full
ip address inside
ip address outside
nat (inside) 0 0 0
route outside 0 0 1

write memory

Then in the router i did this

int ethernet 0
ip address

router rip

write memory

Please tell whether this will be alright

please mail me

I am also increasing the points



Author Comment

ID: 11115679
also i ahve added

access-list acl_in permit any any

access-group acl_in  in interface inside

 access-group acl_in  in interface outside
LVL 28

Expert Comment

ID: 11163211
Somehow I missed your earlier comments. Thanks for accepting my answer, but I want to make a minor suggestion:

It's a good idea to not use dynamic routing in a firewall area. You shouldn't run RIP on your outside router at all. Just have a static route to your inside network:

and on the PIX, have the static default route

I assume that you already have a static route to your ISP on the router, that would of course stay there.

The problem is that is someone might be able to send false RIP routes into your router and then you're hosed.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question