asked on

$500-600 Firewall that supports DMZ's??

I am shopping for a good Firewall (currently use a PIX 506) that supports a true DMZ configruation for our web servers..  not something silly like what you see on a Linksys $69 special.

Does anyone have some good advice on a Firewall that fits that description?  I've looked at the Sonicwalls "Pro's", but they are a bit overpriced, IMO.  What about the TZ series???
The Sonicwall tz170 has a dmz port you can assign a different ip address for the dmz and create access rules if you need the dmz to access the lan side otherwise the dmz can not access the lan.
ebay and newegg have the  new tz170's in your price range.
If you have a VLAN capable switch, your existing 506 will support splitting the inside interface in two and giving you a true DMZ.
Else take a look at the next-gen ASA5505
Vigor3300V Up to three of the WAN ports can be alternatively configured to be hardware DMZ ports for the isolated hosting of a public-facing server.

Can do failover or bonding


or the Netscreen but get a 25 off ebay
Hmm. lrmoore, can you give me the basic rundown of that how'd that?  Something I'd have to turn on within the PIX, then segment using the VLAN on the switch?

interface ethernet1 vlan2 logical  
nameif vlan2 intf2 security50
ip address vlan2
nat (vlan2) 1 0 0

The switcport to PIX interface must be a trunk port (they are auto by default).

Switch example create a new vlan2 and assign ports 14-24 to that vlan:
switch#vlan data
switch(vlan)#vlan 2 name internet
Apply completed
switch#config term
switch(config)#interface fast 0/1
switch(config-if)#descript PIX Firewall
switch(config-if)#switchport mode trunk
switch(config)#interface fast 0/2
switch(config-if)#descript AP1100
switch(config-if)#switchport mode trunk
switch(config-if)#interface range fast 0/14 - 24
switch(config-if)#switchport access vlan 2
switch#sho vlan

Anything plugged into switchport 14-24 is in your DMZ
I'd go with the Netscreen. It' is exactly what your looking for. With one correction, It has 5 Ports, 1 untrusted, and 4 you can set to whatever.

Bad Rajesh I'm telling your boss :)
Ha Ha Jabii :-) Actually the 'untrust' is left out, for him to play with there are 4 ports, that is what I meant! VLANS, PORT-MODES anything goes in there... a wonderful product... gonna buy one for myself at home :-)

*grin*  If I had internet at home... I would too... but in the meantime I keep 2 204's, a 5xt and a 5GT at home to play with :) not to mention what's on my desk at work ...00..

Jeez you have 2 204's ??? You're rich. I think the author would be happy with 5gts.

Thanks guys.. thinking the NetScreen-5GT seems most appealing..
Thx for the points and Believe me it is an amazing box! The reason I suggest is for the flexibility and 'feature-list' supported on it. PIX 501 is comparable to it but if you compare the datasheets for performance there is a difference, then again you don't get Deep Inspection (A minimal version of IPS) in PIX which I seem to be liking too much

A little suggestion or rather an advise, stick with 5.3r3 or 5.3r4 for the OS on it and don't upgrade it to 5.4r1 (Don't ask :-))

I'm affraid to...
Have a good reseller?