• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

Cisco Pix 501- What options and best practice

I have the following scenario

A Windows SBS 2003 Server with ISA server and Exchange.
The server performs NAT at present
We have 14 IP addresses on a C IP address range 217.x.x.x (subnet mask = 255.255.255.240) only two of these are currently used,  taken by the router and external nic respectively
Internal network  = private IP addresses with DHCP in the 10.x.x.x range and the internal nic with an IP address of 10.0.0.10

We now want to add in a Cisco Pix 501 Firewall and I would like to find the best way to configure and install it with the least disruption and change.  I had hoped to use it with the same IP range on both interfaces but have realised that solution is not possible and the firewall needs two different subnets.
 
I have thought of using the following setup
Router and external address of firewall with two of the 14 public IP addresses.
Internal interface of Pix with a second subnet eg. 10.0.10.1 to external nic of server 10.0.10.10 (or any private addresses on the same subnet)
Internal nic of server and internal network keeps existing IP addresses and scope (third subnet)

My question concerns the implications of changing my present setup to the above situation . Also the steps I would need to take  and the changes I would need to make (if any) to Exchange and to other Apps.  What I am not sure of is what I will need to take into consideration and to reconfigure for this change to work. I know the basics, such as how to configure IP addresses,  but am not sure of the full implications of a basic configuration change such as this. I am not sure for example if the nics will continue to pass through in the same way, or whether ISA depends on having one of the public IP addresses. At present the default gateway is the ADSL router

My idea was to leave ISA and the Cisco pix running concurrently for a while if possible.

 
Many thanks
0
beechfielder
Asked:
beechfielder
  • 2
  • 2
  • 2
2 Solutions
 
dmoxCommented:
Well, if ISA and the PIX are running concurrently then your clients will have to be using one as a default gateway and ignoring the other.  If you put the ISA server behind the PIX and have your clients Default Gateway changed to the ISA server you'll add another layer of security.  The Default Gateway of the ISA server would be the PIX, then the PIX's route would be the ADSL modem.

route outside 0.0.0.0 0.0.0.0 <IP of ADSL Modem> 0 0

The following IP's will be needed from the start:

1 for your DSL modem
1 for your PIX
1 for your Mail

The cool thing about the config you can possibly switch subnets inbetween.  Example:

The ADSL Router external NIC -> External IP
The ADSL Router Internal NIC -> 192.168.0.1
The PIX External IP -> 192.168.0.2
The PIX Internal IP -> 192.168.10.1
The ISA Server External IP -> 192.168.10.1
The ISA Server Internal IP -> 10.0.10.1
Clients Default Gateway -> 10.0.10.1

The Flipping of subnets and IP's will add a layer of security to your network that will make it very difficult to crack.  But it adds a layer of complexity for NAT statements that can get a bit confusing if not documented and maintanined properly.

As far as changes go, the main changes will be on your border and shouldn't affect your clients (Unless they are not on the 10.0.10.X subnet).  You will just need to change the PIX to have correct static mappings to the respective servers.  Example:

Access-list outside_access_in any host <MailServerPublicIP> eq 25
Access-list outside_access_in any host <MailServerPublicIP> eq 80
access-group outside_access_in in interface outside
static (inside,outside) <publicIP> <MailServerIP> netmask 255.255.255.255 0 0

An example of a static mapping for your mail server.  Add as many static mappings as needed for each application server you have that is public.

The majority of the work will be done on the PIX as I'm assuming that the ADSL router doesn't have a built in firewall.  The same rules will need to be applied to the ISA servers external interface to allow the traffic through.

I hope that's not too confusing...
0
 
Blackduke77Commented:
the above is corect ecackly how I would do it and it is a nice position to be in, always good to have that extra layer of security the only thing to consider is the fact you will be double natting not routing wich would only really give you problems with VPN access into the network. but a nice Concentrator would fix that :)

I would go with the above let alone the fact that you will have effectivly two fire wall but you have a layer 3 and 4 fire wall looking at protocal and DDOS attacks ect but also a application firewall on the ISA box

0
 
beechfielderAuthor Commented:
Thank you, and it was not at all confusing but  very helpful

That is close to what I had in mind, but a little different in that I was going to set it up as follows

Router External IP (only 1 IP address)
Pix external interface > External IP
Pix internal interface > 192.168.1.1
External Nic of server > 192.168.1.5
Internal Nic of server > 10.0.10.1

Does this setup sound feasible?

This gives one less subnet and I am hoping will make it a bit less complicated and means the router can keep its current config.   At present I think that maybe I will only keep the ISA for any outbound stuff and just slacken it off for everything inbound and let the pix take care of that.

I have started to configure the pix, giving it external and internal ip addresses.  I have not used a Cisco firewall before and this will be a learning process for me.





0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Blackduke77Commented:
lol have fun !!! as for your suggestions above they look ok to me
0
 
dmoxCommented:
What you have mentioned is feasable and will be successful.  I have configured a similar configuration before where all internal traffic went through the ISA server for Caching and blocking websites, and all external traffic coming in went through a pix because of a more secure, robust firewall.  Of course, it was ISA 2000 and I haven't tried 2003 yet to see if it's more flexible.  

As beechfielder mentioned, a VPN in my proposed solution would be nightmare to configure.  However, if you go with the config that you're proposing, with the PIX and the ISA Server in parallel it should be pretty simple.  This would allow your users to work from home or remotely.  

If you have any questions about the PIX config, post them and we should be able to answer.  Or, you can post on the Cisco Forums located here:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_messages%26location%3D.ee6e1fa

Good Luck!
0
 
beechfielderAuthor Commented:
Thank you very much! that is the configuration I am going to go with
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now