?
Solved

Pix 506 DMZ

Posted on 2006-10-19
9
Medium Priority
?
501 Views
Last Modified: 2011-09-20
Hello,

Here is our setup.

Internet ---> ISP Provided Cisco Router ----> Pix501 ---> Dell 3424 Switch

We just learned that we couldn't configure a DMZ with the 501 so we're heading out to purchase a 506.  I was wondering if someone could assist in what steps I'll need to take to configure the DMZ.  I'm not a high level networking person but I know the 506 only hast two IF's like the 501 but the 506 allows for the creation of VLAN's so support a DMZ.

Right now, our internal network  is on a 192.168.1.x scheme.  I set up a second vlan on the Dell switch and assigned 3 out of the 24 ports to it.  I'm simply looking for directions to follow once the 506 arrives in the mail.

Many thanks
0
Comment
Question by:msadexchman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Accepted Solution

by:
Freya28 earned 172 total points
ID: 17767230
pretty simple.  just assign the 3rd interface ont eh 506 with an address that is in the "dmz" vlan.  your hosts behind that vlan will have their defualt gateway as the address of hte dmz interface of the pix.  basically thats it.
0
 
LVL 10

Assisted Solution

by:Sorenson
Sorenson earned 164 total points
ID: 17767254
I think this thread will answer alot of your questions:  http://www.experts-exchange.com/Networking/Q_21399915.html

You will need to create the vlan interfaces on the pix:  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411
Create a trunked port on the dell switch.  Force your dmz ports into the new vlan and configure the rules on the pix.

0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 164 total points
ID: 17769436
you need to make sure the switch handles 802.1q vlan tagging (can't anything made now days doesn't have it) but of course it requires your switch to be managed.

Take the inside interface on the 506 and on the port its plugged into on the switch set to trunk mode (like sorenson said)

then on the pix do this
int eth1 vlan2 logical
nameif vlan2 dmz
nat (dmz) 1 0 0
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (dmz,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (dmz,outside) <public ip address of server> <dmz ip address of server>
access-list outside-in permit tcp any <public ip address> eq <port to open>
**repeat above until allowed all ports you want open
access-group outside-in in interface outside
clear xlate

vlan2 would be if you planned on using vlan number 2, if you want to use 20, then type vlan20 instead.
the number 1 for the nat command would change depending on the corresponding number you want to tie it to for the global command
the first two static commands make it so there is effectively a nonat between the inside and dmz interfaces so you can see the true ip of the client connecting on dmz servers and vice versa.
the third static is to do a translation between a public IP and the dmz server
you then do the acl and apply it, the clear xlate since you changed the translation table on the pix
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 

Author Comment

by:msadexchman
ID: 17827331
Cyclops.....I just checked my threads here for the first time in a while and didn't see your post.  I played around with this today but screwed my PIX up.  It's back to basic mode with not much of a config.  On the Switch, I simply select E1 and change the port settings to Trunk?  I don't have to set up any VLAN's on the switch?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17833044
>>On the Switch, I simply select E1 and change the port settings to Trunk?  
Not really sure what that means "E1", reference to switches.  Will have to look that up.  As for setting to Trunk, that is correct.  The other part is making sure its a 802.1q trunk and not something else like ISL.

>>I don't have to set up any VLAN's on the switch?
Maybe, maybe not.  Never dealt with a Dell switch.  Most of the time what I've seen (but I've only dealt with Cisco managed switches) the trunk will auto-pass all vlans over that link.  However, non-native vlan traffic may not be passed because the vlan database may need to be configured to process the specific vlan you are adding.

Again, the important thing here is knowing that the switch support 802.1q vlans.  If no, then what you want to do is not possible with the 506e.
0
 

Author Comment

by:msadexchman
ID: 17837005
I just checked and the Dell PowerConnect 3424 switch does support 801.1q vlans which is great.  I noticed in some other forums/groups that people were saying to set up the config so that you're using Ethernet0 to set up the VLAN but you're suggesting Ethernet1.

which is correct?  Again, I simply want a single VLAN to act as a DMZ

Many thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17837024
doesn't matter, i usually use eth0 as the outside interface and eth1 as the inside interface.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question