Solved

Help understanding the layout, addressing scheme, and NAT of a PIX Firewall behind a cisco router

Posted on 2004-10-12
4
351 Views
Last Modified: 2013-11-29
Hello.
I have been trying to figure out the network layout of a PIX behind a router. In particular, I want to understand the public/private addresses to be used on the different interfaces, the routing scheme, and where NAT would occur. It would be a simple layout of a LAN that is presently using a Cisco router (1700 series) to connect to a DSL line for internet service. Would the firewall be place in between the LAN and the router? would I have to create a unique LAN between the router and the firewall (using a scheme different from the LAN)? Or would the pix just be given 2 private addresses that are a part of the LAN, and directly connected to the private interface of the router? Thanks in advance.
0
Comment
Question by:effincomputers
  • 2
4 Comments
 
LVL 1

Expert Comment

by:WanMan
ID: 12285747
At its simplest, the layout would be as follows:

---Internet-----Router-----Pix Firewall----Internal LAN

You actually don't even need the router in this case, since the Pix can perform that function, although you would need to replace your router with an ADSL modem with RJ45 output.

Assuming that you only have one IP address allowed, then your PIX firewall will use that address and NAT everything behind it. Anything outgoing would appear to come from that address, and incoming traffic could be re-directed depending on the port.

If you wanted to leave the router in place then the situation gets a little more complex. YOu would need to create a "DMZ" or "De-militarised Zone" between the router and the firewall and, unless your ISP will assign you a range of addresses, this will need to be a private range, (I suggest 192.168.x.x, although you could use 10.x.x.x or 172.24.. See RFC1918 and successors). For the DMZ, as there are only two attached devices ( your pix and your router) then a 30-bit subnet would be fine (255.255.255.252) although you could use a smaller subnet, giving you more addresses if required.

Does that help?
0
 

Author Comment

by:effincomputers
ID: 12285856
Thanks for the reply.

So a PIX (506) can entirely replace a router?

If I went with  a DMZ, would it be like this example:
LAN- 192.168.1......
Internal interface of firewall- 192.168.1.X
outer interface of firewall- 192.168.2..x
internal interface of router- 192.168.2.x
outer interface of router- public IP

Thanks again.
0
 
LVL 1

Accepted Solution

by:
WanMan earned 500 total points
ID: 12286257
Perfect!

Got it in one.

The Default gateway for all internal hosts would be the internal address of the PIX, the default gateway for the PIX would be the internal address of the router and the router will handle its default gateway all on its ownsome!

For more info on the PIX 506 go here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

I wouldn't say the PIX is *entirely* able to replace a router, but it can perform routing functionality in the sense that you appear to be talking about.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12286259
If you are not allowing inbound traffic (public web/ftp/mail server) that will work fine.  The ip addressing that you describe is very typical for dynamically assigned ADSL/cable type connections.

If you are assigned a static block of IP addresses and you are allowing inbound traffic to your servers you will have a different set up.  Your internal interface of router and outer interface of firewall would typically be global (routable) addresses.

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now