Cisco PIX 515 with DMZ setup
Posted on 2006-04-13
I am planning to replace an IPCop (linux) firewall with a Cisco PIX 515 with DMZ, and need some assistance to what has to be set up to achieve the following:
- Outside public IP 84.x.x.150, subnet 255.255.255.252, default gw 84.x.x.149
- Inside IP's (official) in 217.x.x.128 network (adresses 129->), subnet 255.255.255.192, gw 217.x.x.129
- Servers in DMZ with certain ports open (smtp, ssl, ftp, http, https, pop, imap), all official IP's in here too (217.x.x.225->), subnet 255.255.255.224, gw. 217.x.x.225. DMZ servers available from both outside and inside.
- I do NOT want NAT on the inside, all hosts on the inside have to get all incoming traffic unless specifically blocked (severe problems with IP telephony on the current NAT'ed hosts)
- VPN from outside to reach inside hosts (217.x.x.128 network) with access to PDM from VPN hosts.
- Now use a PIX501 inside DMZ for VPN to management network (192.168.1.x), has to have ALL traffic allowed through to it.... (Maybe this could be eliminated, and use a separate VPN setup for this in the 515?). The hosts between the PIX should have access to the Internet (UPS'es and other devices that send emails)
- Traffic logging to MRTG
Might be some things I have forgotten, please request any missing info and feel free to suggest changes if necessary.
Hopefully this will get us started...? :)