beechfielder
asked on
Cisco Pix 501- What options and best practice
I have the following scenario
A Windows SBS 2003 Server with ISA server and Exchange.
The server performs NAT at present
We have 14 IP addresses on a C IP address range 217.x.x.x (subnet mask = 255.255.255.240) only two of these are currently used, taken by the router and external nic respectively
Internal network = private IP addresses with DHCP in the 10.x.x.x range and the internal nic with an IP address of 10.0.0.10
We now want to add in a Cisco Pix 501 Firewall and I would like to find the best way to configure and install it with the least disruption and change. I had hoped to use it with the same IP range on both interfaces but have realised that solution is not possible and the firewall needs two different subnets.
I have thought of using the following setup
Router and external address of firewall with two of the 14 public IP addresses.
Internal interface of Pix with a second subnet eg. 10.0.10.1 to external nic of server 10.0.10.10 (or any private addresses on the same subnet)
Internal nic of server and internal network keeps existing IP addresses and scope (third subnet)
My question concerns the implications of changing my present setup to the above situation . Also the steps I would need to take and the changes I would need to make (if any) to Exchange and to other Apps. What I am not sure of is what I will need to take into consideration and to reconfigure for this change to work. I know the basics, such as how to configure IP addresses, but am not sure of the full implications of a basic configuration change such as this. I am not sure for example if the nics will continue to pass through in the same way, or whether ISA depends on having one of the public IP addresses. At present the default gateway is the ADSL router
My idea was to leave ISA and the Cisco pix running concurrently for a while if possible.
Many thanks
A Windows SBS 2003 Server with ISA server and Exchange.
The server performs NAT at present
We have 14 IP addresses on a C IP address range 217.x.x.x (subnet mask = 255.255.255.240) only two of these are currently used, taken by the router and external nic respectively
Internal network = private IP addresses with DHCP in the 10.x.x.x range and the internal nic with an IP address of 10.0.0.10
We now want to add in a Cisco Pix 501 Firewall and I would like to find the best way to configure and install it with the least disruption and change. I had hoped to use it with the same IP range on both interfaces but have realised that solution is not possible and the firewall needs two different subnets.
I have thought of using the following setup
Router and external address of firewall with two of the 14 public IP addresses.
Internal interface of Pix with a second subnet eg. 10.0.10.1 to external nic of server 10.0.10.10 (or any private addresses on the same subnet)
Internal nic of server and internal network keeps existing IP addresses and scope (third subnet)
My question concerns the implications of changing my present setup to the above situation . Also the steps I would need to take and the changes I would need to make (if any) to Exchange and to other Apps. What I am not sure of is what I will need to take into consideration and to reconfigure for this change to work. I know the basics, such as how to configure IP addresses, but am not sure of the full implications of a basic configuration change such as this. I am not sure for example if the nics will continue to pass through in the same way, or whether ISA depends on having one of the public IP addresses. At present the default gateway is the ADSL router
My idea was to leave ISA and the Cisco pix running concurrently for a while if possible.
Many thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, and it was not at all confusing but very helpful
That is close to what I had in mind, but a little different in that I was going to set it up as follows
Router External IP (only 1 IP address)
Pix external interface > External IP
Pix internal interface > 192.168.1.1
External Nic of server > 192.168.1.5
Internal Nic of server > 10.0.10.1
Does this setup sound feasible?
This gives one less subnet and I am hoping will make it a bit less complicated and means the router can keep its current config. At present I think that maybe I will only keep the ISA for any outbound stuff and just slacken it off for everything inbound and let the pix take care of that.
I have started to configure the pix, giving it external and internal ip addresses. I have not used a Cisco firewall before and this will be a learning process for me.
That is close to what I had in mind, but a little different in that I was going to set it up as follows
Router External IP (only 1 IP address)
Pix external interface > External IP
Pix internal interface > 192.168.1.1
External Nic of server > 192.168.1.5
Internal Nic of server > 10.0.10.1
Does this setup sound feasible?
This gives one less subnet and I am hoping will make it a bit less complicated and means the router can keep its current config. At present I think that maybe I will only keep the ISA for any outbound stuff and just slacken it off for everything inbound and let the pix take care of that.
I have started to configure the pix, giving it external and internal ip addresses. I have not used a Cisco firewall before and this will be a learning process for me.
lol have fun !!! as for your suggestions above they look ok to me
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much! that is the configuration I am going to go with
route outside 0.0.0.0 0.0.0.0 <IP of ADSL Modem> 0 0
The following IP's will be needed from the start:
1 for your DSL modem
1 for your PIX
1 for your Mail
The cool thing about the config you can possibly switch subnets inbetween. Example:
The ADSL Router external NIC -> External IP
The ADSL Router Internal NIC -> 192.168.0.1
The PIX External IP -> 192.168.0.2
The PIX Internal IP -> 192.168.10.1
The ISA Server External IP -> 192.168.10.1
The ISA Server Internal IP -> 10.0.10.1
Clients Default Gateway -> 10.0.10.1
The Flipping of subnets and IP's will add a layer of security to your network that will make it very difficult to crack. But it adds a layer of complexity for NAT statements that can get a bit confusing if not documented and maintanined properly.
As far as changes go, the main changes will be on your border and shouldn't affect your clients (Unless they are not on the 10.0.10.X subnet). You will just need to change the PIX to have correct static mappings to the respective servers. Example:
Access-list outside_access_in any host <MailServerPublicIP> eq 25
Access-list outside_access_in any host <MailServerPublicIP> eq 80
access-group outside_access_in in interface outside
static (inside,outside) <publicIP> <MailServerIP> netmask 255.255.255.255 0 0
An example of a static mapping for your mail server. Add as many static mappings as needed for each application server you have that is public.
The majority of the work will be done on the PIX as I'm assuming that the ADSL router doesn't have a built in firewall. The same rules will need to be applied to the ISA servers external interface to allow the traffic through.
I hope that's not too confusing...