Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PIX 515, Radware, PIX 501 and VPN - UPDATED

Posted on 2004-08-25
15
Medium Priority
?
239 Views
Last Modified: 2013-11-16
Hello All,

I am looking for a sample config of something close to what is described below.

Here is my updated environment:

We have 2 T1's going into 2 1760 routers. We then connect these two routers to a Radware Linkproof device that aggregates both T's into one connection. This is for bandwidth management and load balancing. We want to then take a PIX 515 in put it on the other side of the Radware device.

We will use the PIX 515 for a DMZ as well.

The question I have pertains to the Radware device needing to do the NAT instead of the PIX.

Is this a problem?
Can I configure the PIX to allow for this?


The other part of this scenario is this:
We also have a DSL line coming in that management wants to use only for users to surf the web. We have a PIX 501 for this.

Are there any issues with this also?
0
Comment
Question by:cepolly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11910902
Hi cepolly,
> The question I have pertains to the Radware device needing to do the
> NAT instead of the PIX.

> Is this a problem?
> Can I configure the PIX to allow for this?
I can't forsee any problem with this. The PIX would just be configured without NAT and would probably have a private IP address on its outside interface. This wont cause any problems.

> We also have a DSL line coming in that management wants to use only for users to surf the web. We have a PIX 501 for this.
> Are there any issues with this also?
No problems with this. See my website for a configuration example:-
http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
0
 
LVL 1

Author Comment

by:cepolly
ID: 11927565
I'm not sure where this relates to the 2nd pix.
I followed your link and that works well for just the 501 alone.
I spoke to cisco and they said that having 2 PIXs on the same network doing what we want to do would cause issues.

I have already set up the PIX 515 and the RADware device and it is working well.
We are able to everything we need to. Email, web, internet and others.

Now I am trying to setup a a 2nd pix, a 501 to allow users onto the internet.
No incoming rules need be applied as all traffic inbound is coming in through the 515.

I was thinking of setting up the following:

dsl modem - outside interface: pppoe; inside interface: Bridge Mode
      |
      |
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
      |
      |
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
      |
      |
Internal Network - 192.168.1.0/25

Is this correct?
Is there anything I need to do on the Linksys to allow this to work?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11927606
You don't need the Linksys in there at all.

How are you going to setup the machines to split the traffic netween the T1 lines and the DSL?
You could have a proxy server and configure that machine to have the PIX501 as the default gateway.

What are the T1 lines being used for?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:cepolly
ID: 11927642
I don't have a proxy to set up.

as far as the t1's, this was a management decision to use them only for incoming web, mail, blackberry and a coupple of other external apps and for the servers to communicate out as well.

I wanted to use the dsl as a backup in case the t's, router or isp went down.

0
 
LVL 36

Expert Comment

by:grblades
ID: 11929291
In that case it sounds like you can just set the default gateway on all the servers to be the PIX515 and have all the desktop machine use the PIX501 as the default gateway.
0
 
LVL 1

Author Comment

by:cepolly
ID: 11930104
thats what I was thinking as well, but then I spoke with cisco and they came up with the problem that with this config, routing would be hosed. I am not sure how this would happen thought.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11933241
I can't see it being a problem as long as you don't have a machine which has to talk over the T1 and DSL lines.
0
 
LVL 1

Author Comment

by:cepolly
ID: 12496675
update.

i installed it with the linksys and it is working.

thanks for the help.

0
 
LVL 36

Expert Comment

by:grblades
ID: 12497688
Glad its working. If you are happy please accept one of the answers so the question can be closed.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12498779
I thought I had answered all the authors questions.

cepolly - Why did you go with the linksys instead of the PIX?
0
 
LVL 1

Author Comment

by:cepolly
ID: 12499065
grblades, thanks for the help, but the recommendation to use the 501 for pcs, without the linksys, and the 515 for servers didn't work.

i also spoke to cisco and they said that this config would cause a 3rd leg scenario in that the return traffic would not know where to go.

i ended up using both the 501 and the linksys like this:

dsl modem - outside interface: pppoe; inside interface: Bridge Mode
      |
      |
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
      |
      |
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
      |
      |
Internal Network - 192.168.1.0/25

this setup worked.i point all pc's to the linksys.

let me know if i'm mistaken and i'll award the points based on consensus.

thanks,
cepolly

0
 
LVL 36

Accepted Solution

by:
grblades earned 1500 total points
ID: 12499145
The PIX wont route traffic back out the same interface or issue ICMP Redirect packets so adding the Linksys would mean that you could define the Linksys as the single default gateway for some machines and all traffic would go out of it.
On the linksys you could define a static route to some networks via the Radware box and any traffic for these the linksys would redirect to the radware (which the PIX would not do).

This is the only advantage that I can think of with adding the Linksys.

Return traffic wont be a problem since both Internet connections are using NAT so the reply will come straight back to the device performing the NAT and it will translate it and put the packet on the internal network.
0
 
LVL 1

Author Comment

by:cepolly
ID: 12499226
"Return traffic wont be a problem since both Internet connections are using NAT so the reply will come straight back to the device performing the NAT and it will translate it and put the packet on the internal network."

you may have a point here. my intial setup did not use NAT through the radware device. this caused some other issues so I changed it to NAT through that Radware device.

i am wondering whether or not this may have caused traffic to cease when i added both PIX's.

from what i understand then, is that if we removed the radware completely from the picture, both pix's should work and pass traffic.

is this correct?
0
 
LVL 36

Expert Comment

by:grblades
ID: 12502168
Yes it should work as long as the configuration is changed correctly.
The linksys should be the default gateway and have static routes applied to point to the PIX as the gateway for all IP's that should go via it.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question