Link to home
Get AccessLog in
Avatar of aconway

asked on

$500-600 Firewall that supports DMZ's??

I am shopping for a good Firewall (currently use a PIX 506) that supports a true DMZ configruation for our web servers..  not something silly like what you see on a Linksys $69 special.

Does anyone have some good advice on a Firewall that fits that description?  I've looked at the Sonicwalls "Pro's", but they are a bit overpriced, IMO.  What about the TZ series???
Avatar of jasonpaine
Flag of United States of America image

The Sonicwall tz170 has a dmz port you can assign a different ip address for the dmz and create access rules if you need the dmz to access the lan side otherwise the dmz can not access the lan.
ebay and newegg have the  new tz170's in your price range.
Avatar of rsivanandan
Flag of India image

Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Avatar of Les Moore
If you have a VLAN capable switch, your existing 506 will support splitting the inside interface in two and giving you a true DMZ.
Else take a look at the next-gen ASA5505
Avatar of tim1731

Vigor3300V Up to three of the WAN ports can be alternatively configured to be hardware DMZ ports for the isolated hosting of a public-facing server.

Can do failover or bonding


or the Netscreen but get a 25 off ebay
Avatar of aconway


Hmm. lrmoore, can you give me the basic rundown of that how'd that?  Something I'd have to turn on within the PIX, then segment using the VLAN on the switch?

interface ethernet1 vlan2 logical  
nameif vlan2 intf2 security50
ip address vlan2
nat (vlan2) 1 0 0

The switcport to PIX interface must be a trunk port (they are auto by default).

Switch example create a new vlan2 and assign ports 14-24 to that vlan:
switch#vlan data
switch(vlan)#vlan 2 name internet
Apply completed
switch#config term
switch(config)#interface fast 0/1
switch(config-if)#descript PIX Firewall
switch(config-if)#switchport mode trunk
switch(config)#interface fast 0/2
switch(config-if)#descript AP1100
switch(config-if)#switchport mode trunk
switch(config-if)#interface range fast 0/14 - 24
switch(config-if)#switchport access vlan 2
switch#sho vlan

Anything plugged into switchport 14-24 is in your DMZ
I'd go with the Netscreen. It' is exactly what your looking for. With one correction, It has 5 Ports, 1 untrusted, and 4 you can set to whatever.

Bad Rajesh I'm telling your boss :)
Ha Ha Jabii :-) Actually the 'untrust' is left out, for him to play with there are 4 ports, that is what I meant! VLANS, PORT-MODES anything goes in there... a wonderful product... gonna buy one for myself at home :-)

*grin*  If I had internet at home... I would too... but in the meantime I keep 2 204's, a 5xt and a 5GT at home to play with :) not to mention what's on my desk at work ...00..

Jeez you have 2 204's ??? You're rich. I think the author would be happy with 5gts.

Avatar of aconway


Thanks guys.. thinking the NetScreen-5GT seems most appealing..
Thx for the points and Believe me it is an amazing box! The reason I suggest is for the flexibility and 'feature-list' supported on it. PIX 501 is comparable to it but if you compare the datasheets for performance there is a difference, then again you don't get Deep Inspection (A minimal version of IPS) in PIX which I seem to be liking too much

A little suggestion or rather an advise, stick with 5.3r3 or 5.3r4 for the OS on it and don't upgrade it to 5.4r1 (Don't ask :-))

I'm affraid to...
Avatar of aconway


Have a good reseller?