Solved

Help understanding the layout, addressing scheme, and NAT of a PIX Firewall behind a cisco router

Posted on 2004-10-12
4
356 Views
Last Modified: 2013-11-29
Hello.
I have been trying to figure out the network layout of a PIX behind a router. In particular, I want to understand the public/private addresses to be used on the different interfaces, the routing scheme, and where NAT would occur. It would be a simple layout of a LAN that is presently using a Cisco router (1700 series) to connect to a DSL line for internet service. Would the firewall be place in between the LAN and the router? would I have to create a unique LAN between the router and the firewall (using a scheme different from the LAN)? Or would the pix just be given 2 private addresses that are a part of the LAN, and directly connected to the private interface of the router? Thanks in advance.
0
Comment
Question by:effincomputers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:WanMan
ID: 12285747
At its simplest, the layout would be as follows:

---Internet-----Router-----Pix Firewall----Internal LAN

You actually don't even need the router in this case, since the Pix can perform that function, although you would need to replace your router with an ADSL modem with RJ45 output.

Assuming that you only have one IP address allowed, then your PIX firewall will use that address and NAT everything behind it. Anything outgoing would appear to come from that address, and incoming traffic could be re-directed depending on the port.

If you wanted to leave the router in place then the situation gets a little more complex. YOu would need to create a "DMZ" or "De-militarised Zone" between the router and the firewall and, unless your ISP will assign you a range of addresses, this will need to be a private range, (I suggest 192.168.x.x, although you could use 10.x.x.x or 172.24.. See RFC1918 and successors). For the DMZ, as there are only two attached devices ( your pix and your router) then a 30-bit subnet would be fine (255.255.255.252) although you could use a smaller subnet, giving you more addresses if required.

Does that help?
0
 

Author Comment

by:effincomputers
ID: 12285856
Thanks for the reply.

So a PIX (506) can entirely replace a router?

If I went with  a DMZ, would it be like this example:
LAN- 192.168.1......
Internal interface of firewall- 192.168.1.X
outer interface of firewall- 192.168.2..x
internal interface of router- 192.168.2.x
outer interface of router- public IP

Thanks again.
0
 
LVL 1

Accepted Solution

by:
WanMan earned 500 total points
ID: 12286257
Perfect!

Got it in one.

The Default gateway for all internal hosts would be the internal address of the PIX, the default gateway for the PIX would be the internal address of the router and the router will handle its default gateway all on its ownsome!

For more info on the PIX 506 go here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

I wouldn't say the PIX is *entirely* able to replace a router, but it can perform routing functionality in the sense that you appear to be talking about.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12286259
If you are not allowing inbound traffic (public web/ftp/mail server) that will work fine.  The ip addressing that you describe is very typical for dynamically assigned ADSL/cable type connections.

If you are assigned a static block of IP addresses and you are allowing inbound traffic to your servers you will have a different set up.  Your internal interface of router and outer interface of firewall would typically be global (routable) addresses.

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question