Solved

Help understanding the layout, addressing scheme, and NAT of a PIX Firewall behind a cisco router

Posted on 2004-10-12
4
353 Views
Last Modified: 2013-11-29
Hello.
I have been trying to figure out the network layout of a PIX behind a router. In particular, I want to understand the public/private addresses to be used on the different interfaces, the routing scheme, and where NAT would occur. It would be a simple layout of a LAN that is presently using a Cisco router (1700 series) to connect to a DSL line for internet service. Would the firewall be place in between the LAN and the router? would I have to create a unique LAN between the router and the firewall (using a scheme different from the LAN)? Or would the pix just be given 2 private addresses that are a part of the LAN, and directly connected to the private interface of the router? Thanks in advance.
0
Comment
Question by:effincomputers
  • 2
4 Comments
 
LVL 1

Expert Comment

by:WanMan
ID: 12285747
At its simplest, the layout would be as follows:

---Internet-----Router-----Pix Firewall----Internal LAN

You actually don't even need the router in this case, since the Pix can perform that function, although you would need to replace your router with an ADSL modem with RJ45 output.

Assuming that you only have one IP address allowed, then your PIX firewall will use that address and NAT everything behind it. Anything outgoing would appear to come from that address, and incoming traffic could be re-directed depending on the port.

If you wanted to leave the router in place then the situation gets a little more complex. YOu would need to create a "DMZ" or "De-militarised Zone" between the router and the firewall and, unless your ISP will assign you a range of addresses, this will need to be a private range, (I suggest 192.168.x.x, although you could use 10.x.x.x or 172.24.. See RFC1918 and successors). For the DMZ, as there are only two attached devices ( your pix and your router) then a 30-bit subnet would be fine (255.255.255.252) although you could use a smaller subnet, giving you more addresses if required.

Does that help?
0
 

Author Comment

by:effincomputers
ID: 12285856
Thanks for the reply.

So a PIX (506) can entirely replace a router?

If I went with  a DMZ, would it be like this example:
LAN- 192.168.1......
Internal interface of firewall- 192.168.1.X
outer interface of firewall- 192.168.2..x
internal interface of router- 192.168.2.x
outer interface of router- public IP

Thanks again.
0
 
LVL 1

Accepted Solution

by:
WanMan earned 500 total points
ID: 12286257
Perfect!

Got it in one.

The Default gateway for all internal hosts would be the internal address of the PIX, the default gateway for the PIX would be the internal address of the router and the router will handle its default gateway all on its ownsome!

For more info on the PIX 506 go here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

I wouldn't say the PIX is *entirely* able to replace a router, but it can perform routing functionality in the sense that you appear to be talking about.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12286259
If you are not allowing inbound traffic (public web/ftp/mail server) that will work fine.  The ip addressing that you describe is very typical for dynamically assigned ADSL/cable type connections.

If you are assigned a static block of IP addresses and you are allowing inbound traffic to your servers you will have a different set up.  Your internal interface of router and outer interface of firewall would typically be global (routable) addresses.

0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Use of vpn-filter value  in S2S VPN 2 49
ASA Tunnel 18 42
Cisco ASA blocks some https sites. 27 43
USB management software on a network of computers 4 30
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question