Cisco Pix 501-  What options and best practice

Posted on 2004-11-28
Last Modified: 2013-11-16
I have the following scenario

A Windows SBS 2003 Server with ISA server and Exchange.
The server performs NAT at present
We have 14 IP addresses on a C IP address range 217.x.x.x (subnet mask = only two of these are currently used,  taken by the router and external nic respectively
Internal network  = private IP addresses with DHCP in the 10.x.x.x range and the internal nic with an IP address of

We now want to add in a Cisco Pix 501 Firewall and I would like to find the best way to configure and install it with the least disruption and change.  I had hoped to use it with the same IP range on both interfaces but have realised that solution is not possible and the firewall needs two different subnets.
I have thought of using the following setup
Router and external address of firewall with two of the 14 public IP addresses.
Internal interface of Pix with a second subnet eg. to external nic of server (or any private addresses on the same subnet)
Internal nic of server and internal network keeps existing IP addresses and scope (third subnet)

My question concerns the implications of changing my present setup to the above situation . Also the steps I would need to take  and the changes I would need to make (if any) to Exchange and to other Apps.  What I am not sure of is what I will need to take into consideration and to reconfigure for this change to work. I know the basics, such as how to configure IP addresses,  but am not sure of the full implications of a basic configuration change such as this. I am not sure for example if the nics will continue to pass through in the same way, or whether ISA depends on having one of the public IP addresses. At present the default gateway is the ADSL router

My idea was to leave ISA and the Cisco pix running concurrently for a while if possible.

Many thanks
Question by:beechfielder
    LVL 4

    Expert Comment

    Well, if ISA and the PIX are running concurrently then your clients will have to be using one as a default gateway and ignoring the other.  If you put the ISA server behind the PIX and have your clients Default Gateway changed to the ISA server you'll add another layer of security.  The Default Gateway of the ISA server would be the PIX, then the PIX's route would be the ADSL modem.

    route outside <IP of ADSL Modem> 0 0

    The following IP's will be needed from the start:

    1 for your DSL modem
    1 for your PIX
    1 for your Mail

    The cool thing about the config you can possibly switch subnets inbetween.  Example:

    The ADSL Router external NIC -> External IP
    The ADSL Router Internal NIC ->
    The PIX External IP ->
    The PIX Internal IP ->
    The ISA Server External IP ->
    The ISA Server Internal IP ->
    Clients Default Gateway ->

    The Flipping of subnets and IP's will add a layer of security to your network that will make it very difficult to crack.  But it adds a layer of complexity for NAT statements that can get a bit confusing if not documented and maintanined properly.

    As far as changes go, the main changes will be on your border and shouldn't affect your clients (Unless they are not on the 10.0.10.X subnet).  You will just need to change the PIX to have correct static mappings to the respective servers.  Example:

    Access-list outside_access_in any host <MailServerPublicIP> eq 25
    Access-list outside_access_in any host <MailServerPublicIP> eq 80
    access-group outside_access_in in interface outside
    static (inside,outside) <publicIP> <MailServerIP> netmask 0 0

    An example of a static mapping for your mail server.  Add as many static mappings as needed for each application server you have that is public.

    The majority of the work will be done on the PIX as I'm assuming that the ADSL router doesn't have a built in firewall.  The same rules will need to be applied to the ISA servers external interface to allow the traffic through.

    I hope that's not too confusing...
    LVL 1

    Assisted Solution

    the above is corect ecackly how I would do it and it is a nice position to be in, always good to have that extra layer of security the only thing to consider is the fact you will be double natting not routing wich would only really give you problems with VPN access into the network. but a nice Concentrator would fix that :)

    I would go with the above let alone the fact that you will have effectivly two fire wall but you have a layer 3 and 4 fire wall looking at protocal and DDOS attacks ect but also a application firewall on the ISA box

    LVL 5

    Author Comment

    Thank you, and it was not at all confusing but  very helpful

    That is close to what I had in mind, but a little different in that I was going to set it up as follows

    Router External IP (only 1 IP address)
    Pix external interface > External IP
    Pix internal interface >
    External Nic of server >
    Internal Nic of server >

    Does this setup sound feasible?

    This gives one less subnet and I am hoping will make it a bit less complicated and means the router can keep its current config.   At present I think that maybe I will only keep the ISA for any outbound stuff and just slacken it off for everything inbound and let the pix take care of that.

    I have started to configure the pix, giving it external and internal ip addresses.  I have not used a Cisco firewall before and this will be a learning process for me.

    LVL 1

    Expert Comment

    lol have fun !!! as for your suggestions above they look ok to me
    LVL 4

    Accepted Solution

    What you have mentioned is feasable and will be successful.  I have configured a similar configuration before where all internal traffic went through the ISA server for Caching and blocking websites, and all external traffic coming in went through a pix because of a more secure, robust firewall.  Of course, it was ISA 2000 and I haven't tried 2003 yet to see if it's more flexible.  

    As beechfielder mentioned, a VPN in my proposed solution would be nightmare to configure.  However, if you go with the config that you're proposing, with the PIX and the ISA Server in parallel it should be pretty simple.  This would allow your users to work from home or remotely.  

    If you have any questions about the PIX config, post them and we should be able to answer.  Or, you can post on the Cisco Forums located here:

    Good Luck!
    LVL 5

    Author Comment

    Thank you very much! that is the configuration I am going to go with

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now