• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 240
  • Last Modified:

PIX 515, Radware, PIX 501 and VPN - UPDATED

Hello All,

I am looking for a sample config of something close to what is described below.

Here is my updated environment:

We have 2 T1's going into 2 1760 routers. We then connect these two routers to a Radware Linkproof device that aggregates both T's into one connection. This is for bandwidth management and load balancing. We want to then take a PIX 515 in put it on the other side of the Radware device.

We will use the PIX 515 for a DMZ as well.

The question I have pertains to the Radware device needing to do the NAT instead of the PIX.

Is this a problem?
Can I configure the PIX to allow for this?


The other part of this scenario is this:
We also have a DSL line coming in that management wants to use only for users to surf the web. We have a PIX 501 for this.

Are there any issues with this also?
0
cepolly
Asked:
cepolly
  • 8
  • 6
1 Solution
 
grbladesCommented:
Hi cepolly,
> The question I have pertains to the Radware device needing to do the
> NAT instead of the PIX.

> Is this a problem?
> Can I configure the PIX to allow for this?
I can't forsee any problem with this. The PIX would just be configured without NAT and would probably have a private IP address on its outside interface. This wont cause any problems.

> We also have a DSL line coming in that management wants to use only for users to surf the web. We have a PIX 501 for this.
> Are there any issues with this also?
No problems with this. See my website for a configuration example:-
http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
0
 
cepollyAuthor Commented:
I'm not sure where this relates to the 2nd pix.
I followed your link and that works well for just the 501 alone.
I spoke to cisco and they said that having 2 PIXs on the same network doing what we want to do would cause issues.

I have already set up the PIX 515 and the RADware device and it is working well.
We are able to everything we need to. Email, web, internet and others.

Now I am trying to setup a a 2nd pix, a 501 to allow users onto the internet.
No incoming rules need be applied as all traffic inbound is coming in through the 515.

I was thinking of setting up the following:

dsl modem - outside interface: pppoe; inside interface: Bridge Mode
      |
      |
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
      |
      |
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
      |
      |
Internal Network - 192.168.1.0/25

Is this correct?
Is there anything I need to do on the Linksys to allow this to work?
0
 
grbladesCommented:
You don't need the Linksys in there at all.

How are you going to setup the machines to split the traffic netween the T1 lines and the DSL?
You could have a proxy server and configure that machine to have the PIX501 as the default gateway.

What are the T1 lines being used for?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
cepollyAuthor Commented:
I don't have a proxy to set up.

as far as the t1's, this was a management decision to use them only for incoming web, mail, blackberry and a coupple of other external apps and for the servers to communicate out as well.

I wanted to use the dsl as a backup in case the t's, router or isp went down.

0
 
grbladesCommented:
In that case it sounds like you can just set the default gateway on all the servers to be the PIX515 and have all the desktop machine use the PIX501 as the default gateway.
0
 
cepollyAuthor Commented:
thats what I was thinking as well, but then I spoke with cisco and they came up with the problem that with this config, routing would be hosed. I am not sure how this would happen thought.
0
 
grbladesCommented:
I can't see it being a problem as long as you don't have a machine which has to talk over the T1 and DSL lines.
0
 
cepollyAuthor Commented:
update.

i installed it with the linksys and it is working.

thanks for the help.

0
 
grbladesCommented:
Glad its working. If you are happy please accept one of the answers so the question can be closed.
0
 
grbladesCommented:
I thought I had answered all the authors questions.

cepolly - Why did you go with the linksys instead of the PIX?
0
 
cepollyAuthor Commented:
grblades, thanks for the help, but the recommendation to use the 501 for pcs, without the linksys, and the 515 for servers didn't work.

i also spoke to cisco and they said that this config would cause a 3rd leg scenario in that the return traffic would not know where to go.

i ended up using both the 501 and the linksys like this:

dsl modem - outside interface: pppoe; inside interface: Bridge Mode
      |
      |
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
      |
      |
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
      |
      |
Internal Network - 192.168.1.0/25

this setup worked.i point all pc's to the linksys.

let me know if i'm mistaken and i'll award the points based on consensus.

thanks,
cepolly

0
 
grbladesCommented:
The PIX wont route traffic back out the same interface or issue ICMP Redirect packets so adding the Linksys would mean that you could define the Linksys as the single default gateway for some machines and all traffic would go out of it.
On the linksys you could define a static route to some networks via the Radware box and any traffic for these the linksys would redirect to the radware (which the PIX would not do).

This is the only advantage that I can think of with adding the Linksys.

Return traffic wont be a problem since both Internet connections are using NAT so the reply will come straight back to the device performing the NAT and it will translate it and put the packet on the internal network.
0
 
cepollyAuthor Commented:
"Return traffic wont be a problem since both Internet connections are using NAT so the reply will come straight back to the device performing the NAT and it will translate it and put the packet on the internal network."

you may have a point here. my intial setup did not use NAT through the radware device. this caused some other issues so I changed it to NAT through that Radware device.

i am wondering whether or not this may have caused traffic to cease when i added both PIX's.

from what i understand then, is that if we removed the radware completely from the picture, both pix's should work and pass traffic.

is this correct?
0
 
grbladesCommented:
Yes it should work as long as the configuration is changed correctly.
The linksys should be the default gateway and have static routes applied to point to the PIX as the gateway for all IP's that should go via it.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now