Solved

PIX 515

Posted on 2004-09-09
14
650 Views
Last Modified: 2013-11-16
Hi guys,

I am planning to buy a coupl eof PIX 515 firewalls for my new network design.
My problen is that I am pretty new to this whole field and I am confused between the 515 and the 515E.

There is a significant price difference between these two firewalls and I am not sure what I should buy. I have moderate amount of traffic hitting my network.

Any thoughts ??

Also , I was wondering if someone can help me configure these firewalls here as well , any good reading material and or helpful websites out there that can help me?

thanks in advance for your help. I will have more questions in the future.

best
Z
0
Comment
Question by:ZJay
  • 7
  • 7
14 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12076661
515E is "next generation" 515 that includes the encryption daughter card at no additional cost. It can be a "gotcha" if you plan to add two more interfaces using single-port PCI adpaters. The daughter card takes up one of the PCI slots internally, so your best option to add more interfaces is with a 4-port PCI card.

We'll be more than happy to help get you going. The "getting started" guide that comes with it is pretty easy to follow.

The price difference is not between the 515 or the 515E, but between an UNrestricted user license, or a REstricted user license. The restricted license will support upwards of 100 internal clients. The restriction is 10,000 simultaneous connections. That's more than enough for most businesses.
Current list price for 515E, 3 Interfaces, Restricted license is $3695
PIX 515E-DMZ Bundle (Chassis, Restricted SW, 3 FE Ports) (Cisco part #: PIX-515E-R-DMZ-BUN)
With 2 interfaces: $3,495.00
PIX 515E-R Bundle (Chassis, Restricted SW, 2 FE Ports) (Cisco part #: PIX-515E-R-BUN)      
The 515 -no "E"- is not available for sale any more (I work for a Cisco Premier Partner and we sell a lot of PIX's)





0
 

Author Comment

by:ZJay
ID: 12077197
Hi IRMoore ,

I know I could count on you , I already have gathered a lot of info from your previous postings here.

What I finally bought and being shipped today is

515 UR with Fail Over.

I am going to have the firewalls in failover mode and therefor i needed an unrestricted liscense i guess.

I have some questions for you regarding the firewall configuration. I will up the points on this question as and when needed.

This is how my config is going to be

      outside:       Security 0
      DMZ :        Security 30
      inside :       Security 100
      transit :        Security  70


transit : this interface is connected to a vlan which has the priv ip 192.168.77.3 , this basically is going to be the termination point of "client" routers who have private FR relay lines to our network. Say router A (frame relay) terminated here with the ip 192.168.77.37.

Now i need router A to have a conversation with ONLY SERVER A -- 192.168.3.8 in the "inside" network.

How can I accomplish this ?

Do I have to care about what all translations happen on the private line before the traffic comes to the priv interface of the router on 192.168.77.37 that terminated on my network ????

I dont control these routers , the clients do , I would think all i care about is and all i have to inform them is that I want to change the ip address of the interface of the router that terminates on my network from a public address( there was no need of a public addr, since its a priva connection) to a private address ?

does this make sense ?

coming soon : One of the routers that terminates on my network is a VPN termination point with just one public interface that is connected to one of the vlans , this is driving me nuts.


thanks for your help in advance
Z

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12077461
Sounds like you have a solid plan.
Yes, you need the Unlimited license to get the failover. Did you order the 4-port card, too? You only inside and outside on the chassis.

Once you get them to change the Ethernet interface of their router at your site to the private IP address in the subnet from your transit zone, all you have to do is apply access-lists to the interface, and decide whether or not you will use NAT for traffic between the zones.

My suggestion would be to bypass using NAT between the inside and the transit, and between the inside and the DMZ. It makes the acls much easier. Here's an example. See if you can follow the logic.
Given these IP addresses:
ip address inside 192.168.122.0 255.255.255.0
ip address outside 4.5.6.7 255.255.255.248
ip address DMZ 192.168.144.0 255.255.255.0
ip address transit 192.168.155.0 255.255.255.0

Setup NAT for inside - outside traffic (internet browsing, etc)
   global (outside) 1 interface
   nat (inside) 1 192.168.122.0 255.255.255.0

Bypass NAT between inside and DMZ/Transit
   static (inside,transit) 192.168.122.0 192.168.122.0 netmask 255.255.255.0
   static (inside,DMZ) 192.168.122.0 192.168.122.0 netmask 255.255.255.0

Setup NAT for you public servers:
   static (DMZ,outside) 192.168.144.10 4.5.6.10 netmask 255.255.255.0
   static (DMZ,outside) 192.168.144.11 4.5.6.11 netmask 255.255.255.0

Setup access-list for inbound public traffic (www, email)
   access-list outside_in permit tcp any host 4.5.6.10 eq www
   access-list outside_in permit tcp any host 4.5.6.11 eq smtp
   access-group outside_in in interface outside

Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
   access-list transit_in permit ip host <rtr A> host <server A>
   access-list transit_in permit ip host <rtr B> host <server B>
   access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
   access-group transit_in in interface transit

Setup access-list for DMZ servers to get back in (say public www server to back-end SQL server)
   access-list DMZ_in permit tcp host <www> host <SQL> eq 1433
   access-list DMZ_in permit tcp host <email> host <mail> eq smtp
   <etc>
   access-group DMZ_in in interface DMZ

Just keep in mind the concepts of security levels.
Traffic from High security - lower security (inside to outside, dmz, transit) ALL is permitted unless/until you restrict it with an access-list
Traffic from Low security to a higher security interface (dmz to inside, transit to inside, outside to dmz, etc) NOTHING is permitted unless/until you expressly permit with an access-list.


0
 

Author Comment

by:ZJay
ID: 12078004
Irmoore ,

Thats perfect man , thanks a lot for your help. Some questions

my DMZ has a public interface ip , 170.556.223.64 /255.255.255.224 ( this ip is made up)

Thats cool right ?

maybe i could give it internal IP's and then to static mappings like you have pointed out as well.

SO I am a bit confused about what the outside vlan would be if the dmz is public , my outside vlan currently is the dmz so I am a bit confused there.

so my static would be basically
static ( DMZ , outside) 170.55.223.64 170.556.223.64 netmask 255.255.255.0


secondly ,

like i mentioned these routers are housed into my network. Now we have this one VPN router.

the way it is right now is that it has only one active interface with a public ip which is connected to my switch on the vlan which also has the server this vpn connection needs to get to. And its managed using a modem ( by the client)  so basically everything is publicly addressable.

whats the best solution to deal with this VPN router , what are your thoughts ?

i see 2 options

1. activate the other interface of this vpn router , connect it to the "outside" interface of the pix and have the clients terminate there tunnel on this intf connected to the outside intf of my firewall , then connect the other interface to my "transit' network and bypass traffic from there to my private network.

2. just let the router have one interface , connect it to the outside interface with a public ip address and then bypass the vpn traffic from the outside interface directly to the private network.

what r your thoughts...i think i am confused.

-Z
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078120
There's no good reason that you would have to change your DMZ from a public to a private. You understand the concept with the static, same IP on both interfaces.

I'm not a fan of option #2 for the VPN router.
I'm not quite sure I understand the connectivity on this. Remote user VPN's to the public IP interface of this router, then they have access to one server which also has a public IP?
I would think more along option #1. One public IP on the router, one private IP interface on the router terminating on your transit network. Use same rules to permit the VPN client IP addresses only access to the one server. When they dial into the modem, do they have telnet access to the server? Definately put this server in the transit network, unless there is high dependence on it from the inside clients. Then consider just using acls on the PIX transit interface to control traffic from their VPN router into the server.
0
 

Author Comment

by:ZJay
ID: 12078255
Let me explain.

This VPN router is a backup connection to the T1 connection they have.

This basically is a site-to -site VPN that connects our network ( the one server in the transit network) to there network. SO if the t-1 fails they can start using this backup link.

So they come in through the internet and terminate the vpn on this routerr public interface and access this one server in the same vlan. The server now has a public ip.

They have a modem with which the admin dials into the router to configure it , thats all. I would like to put the server in the private network , since all the other servers r in the private network that way.

I just got the pix

I basicall am supposed to configure the main PIX and not touch or connect the second Pix yet ?

Then I am also supposed to use one interface of my 6 interfaces to connect the two firewalls with a cross over cable ? I dont need a special switch vlan for that right ?

Also I should have a vlan on the switch for my outside interface right ? where I will plug in the outside interfaces of both the routers ?

-Z
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078368
Let's tackle the PIX install first, but I think you'll still be in good shape to enable the 2nd Ethernet interface on their VPN router with a private IP in your transit network and move the server into the transit dmz, too. They can still access it via their T1, or through a LAN-LAN tunnel back to their offices, and access the private IP of the server...

You can setup and configure the primary PIX. If you try to fire up the failover PIX without a connection the primary, you will get a message saying that it cannot startup stand-alone, and won't even finish booting.

Connect the two PIXs together using the supplied serial failover cable. The cable ends are marked primary and secondary.
You 'can' connect the two using an Ethernet interface to enable stateful failover, but you can't use a crossover cable, you would have to use a 2-port VLAN on the switch. I'm not a big fan of the stateful failover and I have seen this cause too much trouble, mainly because of using a crossover cable, and it is not really necessary.

I would have a 3-port VLAN on the switch to connect your Internet router's Ethernet interface, and both PIX outside interfaces.

Then another VLAN for each PIX interface (transit VLAN and DMZ vlan), except the inside interface to a physically different switch. It's OK to put outside and DMZ interfaces into VLAN's on one switch, but I'm a firm believer that the inside should be a different switch.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:ZJay
ID: 12078468


Questions :

1. Why dont you like the stateful failover ? It gives me an option of using the cross over cable in the manual ? as well as the option you suggested ? Without stateful configuration will the firewall still failover automatically ? i am going to take yoru word for this since I dont have enough experience.

And I will need a 4 port outside VLAN right ? the 4th port to connect the other outside interface of the VPN client router. The inside interface will be connected to my transit network.

Z
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078612
1. You will have automatic failover without the stateful failover option. You can use a crossover cable, and all the documents say that you can, but trust me, it is much more stable with a switch vlan. There are caveats, like this in the documentation:
    "Note: If you use the same link for both state and failover, you cannot use a crossover cable."

2. Yes, 4 ports for public VLAN. I forgot about the VPN router...


0
 

Author Comment

by:ZJay
ID: 12079130
cool...i will ask you more questions when I have them. For testing purposes should I use a hb or a linksys switch between the two firewalls for the failover config check?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12079198
For testing the stateful failover? You'll have to use crossover because both interfaces must be set to 100/full-duplex and a hub is only half-duplex, and the linksys switch is autosense only, I think..
Looking forward to more questions from you!
0
 

Author Comment

by:ZJay
ID: 12079589
So u just dont like the idea of using a cross over , you are fine with serial connection and switch based cable connection for stateful failover ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12079759
Absolutely!
0
 

Author Comment

by:ZJay
ID: 12128615
Irmoore,

Need your help again. This is what you suggested to me.

Setup restrictive access-list for client access (you can further limit to specific ports/protocols if you need to)
   access-list transit_in permit ip host <rtr A> host <server A>
   access-list transit_in permit ip host <rtr B> host <server B>
   access-list transit_in permit tcp host <rtr A> host <server A> eq 1433
   access-group transit_in in interface transit


I think this is erroneous. Say I am a 10.10.10.1 ip address host who is behind rtr A and I need access to server A , I go through rtr A , but my SOURCE addr doesnt change right ???

I am still 10.10.10.1 trying to go through the router ( which termintes on the transitdmz on the pic) to access a server ( which resides in the private networ).

my point is : I need to add acl's to allow all source traffic coming through the router to the server or allow "any" traffic coming through the router to the server if i cant find all the source addr subnets.

also after that point I need to add routes on the pix that will let traffic headed to 10.10.10.1 go to the transit interface and a particular ip (that of rtr A)

am I current in these assumptions.

I am CONFUSEDDDD HERE

-Z
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now