PIX 515

Hi guys,

I am planning to buy a coupl eof PIX 515 firewalls for my new network design.
My problen is that I am pretty new to this whole field and I am confused between the 515 and the 515E.

There is a significant price difference between these two firewalls and I am not sure what I should buy. I have moderate amount of traffic hitting my network.

Any thoughts ??

Also , I was wondering if someone can help me configure these firewalls here as well , any good reading material and or helpful websites out there that can help me?

thanks in advance for your help. I will have more questions in the future.

Who is Participating?
515E is "next generation" 515 that includes the encryption daughter card at no additional cost. It can be a "gotcha" if you plan to add two more interfaces using single-port PCI adpaters. The daughter card takes up one of the PCI slots internally, so your best option to add more interfaces is with a 4-port PCI card.

We'll be more than happy to help get you going. The "getting started" guide that comes with it is pretty easy to follow.

The price difference is not between the 515 or the 515E, but between an UNrestricted user license, or a REstricted user license. The restricted license will support upwards of 100 internal clients. The restriction is 10,000 simultaneous connections. That's more than enough for most businesses.
Current list price for 515E, 3 Interfaces, Restricted license is $3695
PIX 515E-DMZ Bundle (Chassis, Restricted SW, 3 FE Ports) (Cisco part #: PIX-515E-R-DMZ-BUN)
With 2 interfaces: $3,495.00
PIX 515E-R Bundle (Chassis, Restricted SW, 2 FE Ports) (Cisco part #: PIX-515E-R-BUN)      
The 515 -no "E"- is not available for sale any more (I work for a Cisco Premier Partner and we sell a lot of PIX's)

ZJayAuthor Commented:
Hi IRMoore ,

I know I could count on you , I already have gathered a lot of info from your previous postings here.

What I finally bought and being shipped today is

515 UR with Fail Over.

I am going to have the firewalls in failover mode and therefor i needed an unrestricted liscense i guess.

I have some questions for you regarding the firewall configuration. I will up the points on this question as and when needed.

This is how my config is going to be

      outside:       Security 0
      DMZ :        Security 30
      inside :       Security 100
      transit :        Security  70

transit : this interface is connected to a vlan which has the priv ip , this basically is going to be the termination point of "client" routers who have private FR relay lines to our network. Say router A (frame relay) terminated here with the ip

Now i need router A to have a conversation with ONLY SERVER A -- in the "inside" network.

How can I accomplish this ?

Do I have to care about what all translations happen on the private line before the traffic comes to the priv interface of the router on that terminated on my network ????

I dont control these routers , the clients do , I would think all i care about is and all i have to inform them is that I want to change the ip address of the interface of the router that terminates on my network from a public address( there was no need of a public addr, since its a priva connection) to a private address ?

does this make sense ?

coming soon : One of the routers that terminates on my network is a VPN termination point with just one public interface that is connected to one of the vlans , this is driving me nuts.

thanks for your help in advance

Sounds like you have a solid plan.
Yes, you need the Unlimited license to get the failover. Did you order the 4-port card, too? You only inside and outside on the chassis.

Once you get them to change the Ethernet interface of their router at your site to the private IP address in the subnet from your transit zone, all you have to do is apply access-lists to the interface, and decide whether or not you will use NAT for traffic between the zones.

My suggestion would be to bypass using NAT between the inside and the transit, and between the inside and the DMZ. It makes the acls much easier. Here's an example. See if you can follow the logic.
Given these IP addresses:
ip address inside
ip address outside
ip address DMZ
ip address transit

Setup NAT for inside - outside traffic (internet browsing, etc)
   global (outside) 1 interface
   nat (inside) 1

Bypass NAT between inside and DMZ/Transit
   static (inside,transit) netmask
   static (inside,DMZ) netmask

Setup NAT for you public servers:
   static (DMZ,outside) netmask
   static (DMZ,outside) netmask

Setup access-list for inbound public traffic (www, email)
   access-list outside_in permit tcp any host eq www
   access-list outside_in permit tcp any host eq smtp
   access-group outside_in in interface outside

Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
   access-list transit_in permit ip host <rtr A> host <server A>
   access-list transit_in permit ip host <rtr B> host <server B>
   access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
   access-group transit_in in interface transit

Setup access-list for DMZ servers to get back in (say public www server to back-end SQL server)
   access-list DMZ_in permit tcp host <www> host <SQL> eq 1433
   access-list DMZ_in permit tcp host <email> host <mail> eq smtp
   access-group DMZ_in in interface DMZ

Just keep in mind the concepts of security levels.
Traffic from High security - lower security (inside to outside, dmz, transit) ALL is permitted unless/until you restrict it with an access-list
Traffic from Low security to a higher security interface (dmz to inside, transit to inside, outside to dmz, etc) NOTHING is permitted unless/until you expressly permit with an access-list.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ZJayAuthor Commented:
Irmoore ,

Thats perfect man , thanks a lot for your help. Some questions

my DMZ has a public interface ip , 170.556.223.64 / ( this ip is made up)

Thats cool right ?

maybe i could give it internal IP's and then to static mappings like you have pointed out as well.

SO I am a bit confused about what the outside vlan would be if the dmz is public , my outside vlan currently is the dmz so I am a bit confused there.

so my static would be basically
static ( DMZ , outside) 170.556.223.64 netmask

secondly ,

like i mentioned these routers are housed into my network. Now we have this one VPN router.

the way it is right now is that it has only one active interface with a public ip which is connected to my switch on the vlan which also has the server this vpn connection needs to get to. And its managed using a modem ( by the client)  so basically everything is publicly addressable.

whats the best solution to deal with this VPN router , what are your thoughts ?

i see 2 options

1. activate the other interface of this vpn router , connect it to the "outside" interface of the pix and have the clients terminate there tunnel on this intf connected to the outside intf of my firewall , then connect the other interface to my "transit' network and bypass traffic from there to my private network.

2. just let the router have one interface , connect it to the outside interface with a public ip address and then bypass the vpn traffic from the outside interface directly to the private network.

what r your thoughts...i think i am confused.

There's no good reason that you would have to change your DMZ from a public to a private. You understand the concept with the static, same IP on both interfaces.

I'm not a fan of option #2 for the VPN router.
I'm not quite sure I understand the connectivity on this. Remote user VPN's to the public IP interface of this router, then they have access to one server which also has a public IP?
I would think more along option #1. One public IP on the router, one private IP interface on the router terminating on your transit network. Use same rules to permit the VPN client IP addresses only access to the one server. When they dial into the modem, do they have telnet access to the server? Definately put this server in the transit network, unless there is high dependence on it from the inside clients. Then consider just using acls on the PIX transit interface to control traffic from their VPN router into the server.
ZJayAuthor Commented:
Let me explain.

This VPN router is a backup connection to the T1 connection they have.

This basically is a site-to -site VPN that connects our network ( the one server in the transit network) to there network. SO if the t-1 fails they can start using this backup link.

So they come in through the internet and terminate the vpn on this routerr public interface and access this one server in the same vlan. The server now has a public ip.

They have a modem with which the admin dials into the router to configure it , thats all. I would like to put the server in the private network , since all the other servers r in the private network that way.

I just got the pix

I basicall am supposed to configure the main PIX and not touch or connect the second Pix yet ?

Then I am also supposed to use one interface of my 6 interfaces to connect the two firewalls with a cross over cable ? I dont need a special switch vlan for that right ?

Also I should have a vlan on the switch for my outside interface right ? where I will plug in the outside interfaces of both the routers ?

Let's tackle the PIX install first, but I think you'll still be in good shape to enable the 2nd Ethernet interface on their VPN router with a private IP in your transit network and move the server into the transit dmz, too. They can still access it via their T1, or through a LAN-LAN tunnel back to their offices, and access the private IP of the server...

You can setup and configure the primary PIX. If you try to fire up the failover PIX without a connection the primary, you will get a message saying that it cannot startup stand-alone, and won't even finish booting.

Connect the two PIXs together using the supplied serial failover cable. The cable ends are marked primary and secondary.
You 'can' connect the two using an Ethernet interface to enable stateful failover, but you can't use a crossover cable, you would have to use a 2-port VLAN on the switch. I'm not a big fan of the stateful failover and I have seen this cause too much trouble, mainly because of using a crossover cable, and it is not really necessary.

I would have a 3-port VLAN on the switch to connect your Internet router's Ethernet interface, and both PIX outside interfaces.

Then another VLAN for each PIX interface (transit VLAN and DMZ vlan), except the inside interface to a physically different switch. It's OK to put outside and DMZ interfaces into VLAN's on one switch, but I'm a firm believer that the inside should be a different switch.
ZJayAuthor Commented:

Questions :

1. Why dont you like the stateful failover ? It gives me an option of using the cross over cable in the manual ? as well as the option you suggested ? Without stateful configuration will the firewall still failover automatically ? i am going to take yoru word for this since I dont have enough experience.

And I will need a 4 port outside VLAN right ? the 4th port to connect the other outside interface of the VPN client router. The inside interface will be connected to my transit network.

1. You will have automatic failover without the stateful failover option. You can use a crossover cable, and all the documents say that you can, but trust me, it is much more stable with a switch vlan. There are caveats, like this in the documentation:
    "Note: If you use the same link for both state and failover, you cannot use a crossover cable."

2. Yes, 4 ports for public VLAN. I forgot about the VPN router...

ZJayAuthor Commented:
cool...i will ask you more questions when I have them. For testing purposes should I use a hb or a linksys switch between the two firewalls for the failover config check?
For testing the stateful failover? You'll have to use crossover because both interfaces must be set to 100/full-duplex and a hub is only half-duplex, and the linksys switch is autosense only, I think..
Looking forward to more questions from you!
ZJayAuthor Commented:
So u just dont like the idea of using a cross over , you are fine with serial connection and switch based cable connection for stateful failover ?
ZJayAuthor Commented:

Need your help again. This is what you suggested to me.

Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
   access-list transit_in permit ip host <rtr A> host <server A>
   access-list transit_in permit ip host <rtr B> host <server B>
   access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
   access-group transit_in in interface transit

I think this is erroneous. Say I am a ip address host who is behind rtr A and I need access to server A , I go through rtr A , but my SOURCE addr doesnt change right ???

I am still trying to go through the router ( which termintes on the transitdmz on the pic) to access a server ( which resides in the private networ).

my point is : I need to add acl's to allow all source traffic coming through the router to the server or allow "any" traffic coming through the router to the server if i cant find all the source addr subnets.

also after that point I need to add routes on the pix that will let traffic headed to go to the transit interface and a particular ip (that of rtr A)

am I current in these assumptions.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.