Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Help understanding the layout, addressing scheme, and NAT of a PIX Firewall behind a cisco router

Posted on 2004-10-12
4
Medium Priority
?
357 Views
Last Modified: 2013-11-29
Hello.
I have been trying to figure out the network layout of a PIX behind a router. In particular, I want to understand the public/private addresses to be used on the different interfaces, the routing scheme, and where NAT would occur. It would be a simple layout of a LAN that is presently using a Cisco router (1700 series) to connect to a DSL line for internet service. Would the firewall be place in between the LAN and the router? would I have to create a unique LAN between the router and the firewall (using a scheme different from the LAN)? Or would the pix just be given 2 private addresses that are a part of the LAN, and directly connected to the private interface of the router? Thanks in advance.
0
Comment
Question by:effincomputers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:WanMan
ID: 12285747
At its simplest, the layout would be as follows:

---Internet-----Router-----Pix Firewall----Internal LAN

You actually don't even need the router in this case, since the Pix can perform that function, although you would need to replace your router with an ADSL modem with RJ45 output.

Assuming that you only have one IP address allowed, then your PIX firewall will use that address and NAT everything behind it. Anything outgoing would appear to come from that address, and incoming traffic could be re-directed depending on the port.

If you wanted to leave the router in place then the situation gets a little more complex. YOu would need to create a "DMZ" or "De-militarised Zone" between the router and the firewall and, unless your ISP will assign you a range of addresses, this will need to be a private range, (I suggest 192.168.x.x, although you could use 10.x.x.x or 172.24.. See RFC1918 and successors). For the DMZ, as there are only two attached devices ( your pix and your router) then a 30-bit subnet would be fine (255.255.255.252) although you could use a smaller subnet, giving you more addresses if required.

Does that help?
0
 

Author Comment

by:effincomputers
ID: 12285856
Thanks for the reply.

So a PIX (506) can entirely replace a router?

If I went with  a DMZ, would it be like this example:
LAN- 192.168.1......
Internal interface of firewall- 192.168.1.X
outer interface of firewall- 192.168.2..x
internal interface of router- 192.168.2.x
outer interface of router- public IP

Thanks again.
0
 
LVL 1

Accepted Solution

by:
WanMan earned 2000 total points
ID: 12286257
Perfect!

Got it in one.

The Default gateway for all internal hosts would be the internal address of the PIX, the default gateway for the PIX would be the internal address of the router and the router will handle its default gateway all on its ownsome!

For more info on the PIX 506 go here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

I wouldn't say the PIX is *entirely* able to replace a router, but it can perform routing functionality in the sense that you appear to be talking about.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12286259
If you are not allowing inbound traffic (public web/ftp/mail server) that will work fine.  The ip addressing that you describe is very typical for dynamically assigned ADSL/cable type connections.

If you are assigned a static block of IP addresses and you are allowing inbound traffic to your servers you will have a different set up.  Your internal interface of router and outer interface of firewall would typically be global (routable) addresses.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question