ZJay
asked on
PIX 515
Hi guys,
I am planning to buy a coupl eof PIX 515 firewalls for my new network design.
My problen is that I am pretty new to this whole field and I am confused between the 515 and the 515E.
There is a significant price difference between these two firewalls and I am not sure what I should buy. I have moderate amount of traffic hitting my network.
Any thoughts ??
Also , I was wondering if someone can help me configure these firewalls here as well , any good reading material and or helpful websites out there that can help me?
thanks in advance for your help. I will have more questions in the future.
best
Z
I am planning to buy a coupl eof PIX 515 firewalls for my new network design.
My problen is that I am pretty new to this whole field and I am confused between the 515 and the 515E.
There is a significant price difference between these two firewalls and I am not sure what I should buy. I have moderate amount of traffic hitting my network.
Any thoughts ??
Also , I was wondering if someone can help me configure these firewalls here as well , any good reading material and or helpful websites out there that can help me?
thanks in advance for your help. I will have more questions in the future.
best
Z
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sounds like you have a solid plan.
Yes, you need the Unlimited license to get the failover. Did you order the 4-port card, too? You only inside and outside on the chassis.
Once you get them to change the Ethernet interface of their router at your site to the private IP address in the subnet from your transit zone, all you have to do is apply access-lists to the interface, and decide whether or not you will use NAT for traffic between the zones.
My suggestion would be to bypass using NAT between the inside and the transit, and between the inside and the DMZ. It makes the acls much easier. Here's an example. See if you can follow the logic.
Given these IP addresses:
ip address inside 192.168.122.0 255.255.255.0
ip address outside 4.5.6.7 255.255.255.248
ip address DMZ 192.168.144.0 255.255.255.0
ip address transit 192.168.155.0 255.255.255.0
Setup NAT for inside - outside traffic (internet browsing, etc)
global (outside) 1 interface
nat (inside) 1 192.168.122.0 255.255.255.0
Bypass NAT between inside and DMZ/Transit
static (inside,transit) 192.168.122.0 192.168.122.0 netmask 255.255.255.0
static (inside,DMZ) 192.168.122.0 192.168.122.0 netmask 255.255.255.0
Setup NAT for you public servers:
static (DMZ,outside) 192.168.144.10 4.5.6.10 netmask 255.255.255.0
static (DMZ,outside) 192.168.144.11 4.5.6.11 netmask 255.255.255.0
Setup access-list for inbound public traffic (www, email)
access-list outside_in permit tcp any host 4.5.6.10 eq www
access-list outside_in permit tcp any host 4.5.6.11 eq smtp
access-group outside_in in interface outside
Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
access-list transit_in permit ip host <rtr A> host <server A>
access-list transit_in permit ip host <rtr B> host <server B>
access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
access-group transit_in in interface transit
Setup access-list for DMZ servers to get back in (say public www server to back-end SQL server)
access-list DMZ_in permit tcp host <www> host <SQL> eq 1433
access-list DMZ_in permit tcp host <email> host <mail> eq smtp
<etc>
access-group DMZ_in in interface DMZ
Just keep in mind the concepts of security levels.
Traffic from High security - lower security (inside to outside, dmz, transit) ALL is permitted unless/until you restrict it with an access-list
Traffic from Low security to a higher security interface (dmz to inside, transit to inside, outside to dmz, etc) NOTHING is permitted unless/until you expressly permit with an access-list.
Yes, you need the Unlimited license to get the failover. Did you order the 4-port card, too? You only inside and outside on the chassis.
Once you get them to change the Ethernet interface of their router at your site to the private IP address in the subnet from your transit zone, all you have to do is apply access-lists to the interface, and decide whether or not you will use NAT for traffic between the zones.
My suggestion would be to bypass using NAT between the inside and the transit, and between the inside and the DMZ. It makes the acls much easier. Here's an example. See if you can follow the logic.
Given these IP addresses:
ip address inside 192.168.122.0 255.255.255.0
ip address outside 4.5.6.7 255.255.255.248
ip address DMZ 192.168.144.0 255.255.255.0
ip address transit 192.168.155.0 255.255.255.0
Setup NAT for inside - outside traffic (internet browsing, etc)
global (outside) 1 interface
nat (inside) 1 192.168.122.0 255.255.255.0
Bypass NAT between inside and DMZ/Transit
static (inside,transit) 192.168.122.0 192.168.122.0 netmask 255.255.255.0
static (inside,DMZ) 192.168.122.0 192.168.122.0 netmask 255.255.255.0
Setup NAT for you public servers:
static (DMZ,outside) 192.168.144.10 4.5.6.10 netmask 255.255.255.0
static (DMZ,outside) 192.168.144.11 4.5.6.11 netmask 255.255.255.0
Setup access-list for inbound public traffic (www, email)
access-list outside_in permit tcp any host 4.5.6.10 eq www
access-list outside_in permit tcp any host 4.5.6.11 eq smtp
access-group outside_in in interface outside
Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
access-list transit_in permit ip host <rtr A> host <server A>
access-list transit_in permit ip host <rtr B> host <server B>
access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
access-group transit_in in interface transit
Setup access-list for DMZ servers to get back in (say public www server to back-end SQL server)
access-list DMZ_in permit tcp host <www> host <SQL> eq 1433
access-list DMZ_in permit tcp host <email> host <mail> eq smtp
<etc>
access-group DMZ_in in interface DMZ
Just keep in mind the concepts of security levels.
Traffic from High security - lower security (inside to outside, dmz, transit) ALL is permitted unless/until you restrict it with an access-list
Traffic from Low security to a higher security interface (dmz to inside, transit to inside, outside to dmz, etc) NOTHING is permitted unless/until you expressly permit with an access-list.
ASKER
Irmoore ,
Thats perfect man , thanks a lot for your help. Some questions
my DMZ has a public interface ip , 170.556.223.64 /255.255.255.224 ( this ip is made up)
Thats cool right ?
maybe i could give it internal IP's and then to static mappings like you have pointed out as well.
SO I am a bit confused about what the outside vlan would be if the dmz is public , my outside vlan currently is the dmz so I am a bit confused there.
so my static would be basically
static ( DMZ , outside) 170.55.223.64 170.556.223.64 netmask 255.255.255.0
secondly ,
like i mentioned these routers are housed into my network. Now we have this one VPN router.
the way it is right now is that it has only one active interface with a public ip which is connected to my switch on the vlan which also has the server this vpn connection needs to get to. And its managed using a modem ( by the client) so basically everything is publicly addressable.
whats the best solution to deal with this VPN router , what are your thoughts ?
i see 2 options
1. activate the other interface of this vpn router , connect it to the "outside" interface of the pix and have the clients terminate there tunnel on this intf connected to the outside intf of my firewall , then connect the other interface to my "transit' network and bypass traffic from there to my private network.
2. just let the router have one interface , connect it to the outside interface with a public ip address and then bypass the vpn traffic from the outside interface directly to the private network.
what r your thoughts...i think i am confused.
-Z
Thats perfect man , thanks a lot for your help. Some questions
my DMZ has a public interface ip , 170.556.223.64 /255.255.255.224 ( this ip is made up)
Thats cool right ?
maybe i could give it internal IP's and then to static mappings like you have pointed out as well.
SO I am a bit confused about what the outside vlan would be if the dmz is public , my outside vlan currently is the dmz so I am a bit confused there.
so my static would be basically
static ( DMZ , outside) 170.55.223.64 170.556.223.64 netmask 255.255.255.0
secondly ,
like i mentioned these routers are housed into my network. Now we have this one VPN router.
the way it is right now is that it has only one active interface with a public ip which is connected to my switch on the vlan which also has the server this vpn connection needs to get to. And its managed using a modem ( by the client) so basically everything is publicly addressable.
whats the best solution to deal with this VPN router , what are your thoughts ?
i see 2 options
1. activate the other interface of this vpn router , connect it to the "outside" interface of the pix and have the clients terminate there tunnel on this intf connected to the outside intf of my firewall , then connect the other interface to my "transit' network and bypass traffic from there to my private network.
2. just let the router have one interface , connect it to the outside interface with a public ip address and then bypass the vpn traffic from the outside interface directly to the private network.
what r your thoughts...i think i am confused.
-Z
There's no good reason that you would have to change your DMZ from a public to a private. You understand the concept with the static, same IP on both interfaces.
I'm not a fan of option #2 for the VPN router.
I'm not quite sure I understand the connectivity on this. Remote user VPN's to the public IP interface of this router, then they have access to one server which also has a public IP?
I would think more along option #1. One public IP on the router, one private IP interface on the router terminating on your transit network. Use same rules to permit the VPN client IP addresses only access to the one server. When they dial into the modem, do they have telnet access to the server? Definately put this server in the transit network, unless there is high dependence on it from the inside clients. Then consider just using acls on the PIX transit interface to control traffic from their VPN router into the server.
I'm not a fan of option #2 for the VPN router.
I'm not quite sure I understand the connectivity on this. Remote user VPN's to the public IP interface of this router, then they have access to one server which also has a public IP?
I would think more along option #1. One public IP on the router, one private IP interface on the router terminating on your transit network. Use same rules to permit the VPN client IP addresses only access to the one server. When they dial into the modem, do they have telnet access to the server? Definately put this server in the transit network, unless there is high dependence on it from the inside clients. Then consider just using acls on the PIX transit interface to control traffic from their VPN router into the server.
ASKER
Let me explain.
This VPN router is a backup connection to the T1 connection they have.
This basically is a site-to -site VPN that connects our network ( the one server in the transit network) to there network. SO if the t-1 fails they can start using this backup link.
So they come in through the internet and terminate the vpn on this routerr public interface and access this one server in the same vlan. The server now has a public ip.
They have a modem with which the admin dials into the router to configure it , thats all. I would like to put the server in the private network , since all the other servers r in the private network that way.
I just got the pix
I basicall am supposed to configure the main PIX and not touch or connect the second Pix yet ?
Then I am also supposed to use one interface of my 6 interfaces to connect the two firewalls with a cross over cable ? I dont need a special switch vlan for that right ?
Also I should have a vlan on the switch for my outside interface right ? where I will plug in the outside interfaces of both the routers ?
-Z
This VPN router is a backup connection to the T1 connection they have.
This basically is a site-to -site VPN that connects our network ( the one server in the transit network) to there network. SO if the t-1 fails they can start using this backup link.
So they come in through the internet and terminate the vpn on this routerr public interface and access this one server in the same vlan. The server now has a public ip.
They have a modem with which the admin dials into the router to configure it , thats all. I would like to put the server in the private network , since all the other servers r in the private network that way.
I just got the pix
I basicall am supposed to configure the main PIX and not touch or connect the second Pix yet ?
Then I am also supposed to use one interface of my 6 interfaces to connect the two firewalls with a cross over cable ? I dont need a special switch vlan for that right ?
Also I should have a vlan on the switch for my outside interface right ? where I will plug in the outside interfaces of both the routers ?
-Z
Let's tackle the PIX install first, but I think you'll still be in good shape to enable the 2nd Ethernet interface on their VPN router with a private IP in your transit network and move the server into the transit dmz, too. They can still access it via their T1, or through a LAN-LAN tunnel back to their offices, and access the private IP of the server...
You can setup and configure the primary PIX. If you try to fire up the failover PIX without a connection the primary, you will get a message saying that it cannot startup stand-alone, and won't even finish booting.
Connect the two PIXs together using the supplied serial failover cable. The cable ends are marked primary and secondary.
You 'can' connect the two using an Ethernet interface to enable stateful failover, but you can't use a crossover cable, you would have to use a 2-port VLAN on the switch. I'm not a big fan of the stateful failover and I have seen this cause too much trouble, mainly because of using a crossover cable, and it is not really necessary.
I would have a 3-port VLAN on the switch to connect your Internet router's Ethernet interface, and both PIX outside interfaces.
Then another VLAN for each PIX interface (transit VLAN and DMZ vlan), except the inside interface to a physically different switch. It's OK to put outside and DMZ interfaces into VLAN's on one switch, but I'm a firm believer that the inside should be a different switch.
You can setup and configure the primary PIX. If you try to fire up the failover PIX without a connection the primary, you will get a message saying that it cannot startup stand-alone, and won't even finish booting.
Connect the two PIXs together using the supplied serial failover cable. The cable ends are marked primary and secondary.
You 'can' connect the two using an Ethernet interface to enable stateful failover, but you can't use a crossover cable, you would have to use a 2-port VLAN on the switch. I'm not a big fan of the stateful failover and I have seen this cause too much trouble, mainly because of using a crossover cable, and it is not really necessary.
I would have a 3-port VLAN on the switch to connect your Internet router's Ethernet interface, and both PIX outside interfaces.
Then another VLAN for each PIX interface (transit VLAN and DMZ vlan), except the inside interface to a physically different switch. It's OK to put outside and DMZ interfaces into VLAN's on one switch, but I'm a firm believer that the inside should be a different switch.
ASKER
Questions :
1. Why dont you like the stateful failover ? It gives me an option of using the cross over cable in the manual ? as well as the option you suggested ? Without stateful configuration will the firewall still failover automatically ? i am going to take yoru word for this since I dont have enough experience.
And I will need a 4 port outside VLAN right ? the 4th port to connect the other outside interface of the VPN client router. The inside interface will be connected to my transit network.
Z
1. You will have automatic failover without the stateful failover option. You can use a crossover cable, and all the documents say that you can, but trust me, it is much more stable with a switch vlan. There are caveats, like this in the documentation:
"Note: If you use the same link for both state and failover, you cannot use a crossover cable."
2. Yes, 4 ports for public VLAN. I forgot about the VPN router...
"Note: If you use the same link for both state and failover, you cannot use a crossover cable."
2. Yes, 4 ports for public VLAN. I forgot about the VPN router...
ASKER
cool...i will ask you more questions when I have them. For testing purposes should I use a hb or a linksys switch between the two firewalls for the failover config check?
For testing the stateful failover? You'll have to use crossover because both interfaces must be set to 100/full-duplex and a hub is only half-duplex, and the linksys switch is autosense only, I think..
Looking forward to more questions from you!
Looking forward to more questions from you!
ASKER
So u just dont like the idea of using a cross over , you are fine with serial connection and switch based cable connection for stateful failover ?
Absolutely!
ASKER
Irmoore,
Need your help again. This is what you suggested to me.
Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
access-list transit_in permit ip host <rtr A> host <server A>
access-list transit_in permit ip host <rtr B> host <server B>
access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
access-group transit_in in interface transit
I think this is erroneous. Say I am a 10.10.10.1 ip address host who is behind rtr A and I need access to server A , I go through rtr A , but my SOURCE addr doesnt change right ???
I am still 10.10.10.1 trying to go through the router ( which termintes on the transitdmz on the pic) to access a server ( which resides in the private networ).
my point is : I need to add acl's to allow all source traffic coming through the router to the server or allow "any" traffic coming through the router to the server if i cant find all the source addr subnets.
also after that point I need to add routes on the pix that will let traffic headed to 10.10.10.1 go to the transit interface and a particular ip (that of rtr A)
am I current in these assumptions.
I am CONFUSEDDDD HERE
-Z
Need your help again. This is what you suggested to me.
Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
access-list transit_in permit ip host <rtr A> host <server A>
access-list transit_in permit ip host <rtr B> host <server B>
access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
access-group transit_in in interface transit
I think this is erroneous. Say I am a 10.10.10.1 ip address host who is behind rtr A and I need access to server A , I go through rtr A , but my SOURCE addr doesnt change right ???
I am still 10.10.10.1 trying to go through the router ( which termintes on the transitdmz on the pic) to access a server ( which resides in the private networ).
my point is : I need to add acl's to allow all source traffic coming through the router to the server or allow "any" traffic coming through the router to the server if i cant find all the source addr subnets.
also after that point I need to add routes on the pix that will let traffic headed to 10.10.10.1 go to the transit interface and a particular ip (that of rtr A)
am I current in these assumptions.
I am CONFUSEDDDD HERE
-Z
ASKER
I know I could count on you , I already have gathered a lot of info from your previous postings here.
What I finally bought and being shipped today is
515 UR with Fail Over.
I am going to have the firewalls in failover mode and therefor i needed an unrestricted liscense i guess.
I have some questions for you regarding the firewall configuration. I will up the points on this question as and when needed.
This is how my config is going to be
outside: Security 0
DMZ : Security 30
inside : Security 100
transit : Security 70
transit : this interface is connected to a vlan which has the priv ip 192.168.77.3 , this basically is going to be the termination point of "client" routers who have private FR relay lines to our network. Say router A (frame relay) terminated here with the ip 192.168.77.37.
Now i need router A to have a conversation with ONLY SERVER A -- 192.168.3.8 in the "inside" network.
How can I accomplish this ?
Do I have to care about what all translations happen on the private line before the traffic comes to the priv interface of the router on 192.168.77.37 that terminated on my network ????
I dont control these routers , the clients do , I would think all i care about is and all i have to inform them is that I want to change the ip address of the interface of the router that terminates on my network from a public address( there was no need of a public addr, since its a priva connection) to a private address ?
does this make sense ?
coming soon : One of the routers that terminates on my network is a VPN termination point with just one public interface that is connected to one of the vlans , this is driving me nuts.
thanks for your help in advance
Z