Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

Help understanding the layout, addressing scheme, and NAT of a PIX Firewall behind a cisco router

Hello.
I have been trying to figure out the network layout of a PIX behind a router. In particular, I want to understand the public/private addresses to be used on the different interfaces, the routing scheme, and where NAT would occur. It would be a simple layout of a LAN that is presently using a Cisco router (1700 series) to connect to a DSL line for internet service. Would the firewall be place in between the LAN and the router? would I have to create a unique LAN between the router and the firewall (using a scheme different from the LAN)? Or would the pix just be given 2 private addresses that are a part of the LAN, and directly connected to the private interface of the router? Thanks in advance.
0
effincomputers
Asked:
effincomputers
  • 2
1 Solution
 
WanManCommented:
At its simplest, the layout would be as follows:

---Internet-----Router-----Pix Firewall----Internal LAN

You actually don't even need the router in this case, since the Pix can perform that function, although you would need to replace your router with an ADSL modem with RJ45 output.

Assuming that you only have one IP address allowed, then your PIX firewall will use that address and NAT everything behind it. Anything outgoing would appear to come from that address, and incoming traffic could be re-directed depending on the port.

If you wanted to leave the router in place then the situation gets a little more complex. YOu would need to create a "DMZ" or "De-militarised Zone" between the router and the firewall and, unless your ISP will assign you a range of addresses, this will need to be a private range, (I suggest 192.168.x.x, although you could use 10.x.x.x or 172.24.. See RFC1918 and successors). For the DMZ, as there are only two attached devices ( your pix and your router) then a 30-bit subnet would be fine (255.255.255.252) although you could use a smaller subnet, giving you more addresses if required.

Does that help?
0
 
effincomputersAuthor Commented:
Thanks for the reply.

So a PIX (506) can entirely replace a router?

If I went with  a DMZ, would it be like this example:
LAN- 192.168.1......
Internal interface of firewall- 192.168.1.X
outer interface of firewall- 192.168.2..x
internal interface of router- 192.168.2.x
outer interface of router- public IP

Thanks again.
0
 
WanManCommented:
Perfect!

Got it in one.

The Default gateway for all internal hosts would be the internal address of the PIX, the default gateway for the PIX would be the internal address of the router and the router will handle its default gateway all on its ownsome!

For more info on the PIX 506 go here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

I wouldn't say the PIX is *entirely* able to replace a router, but it can perform routing functionality in the sense that you appear to be talking about.
0
 
netspec01Commented:
If you are not allowing inbound traffic (public web/ftp/mail server) that will work fine.  The ip addressing that you describe is very typical for dynamically assigned ADSL/cable type connections.

If you are assigned a static block of IP addresses and you are allowing inbound traffic to your servers you will have a different set up.  Your internal interface of router and outer interface of firewall would typically be global (routable) addresses.

0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now