trustive
asked on
Cisco PIX 501 in "bridge mode"?
Hi all,
Does anyone know how I can configure a 501 as a bridge to simply FW all incoming traffic without impacting our IP addressing scheme? Here's a bit of detail about our setup:
We're in a hosting centre and have a /28. We're connected to their layer3 switch and traffic is routed in that way. I'm at a bit of a loss as to how I can set a FW up to filter all traffic coming into my /28 without changing any of my IP addresses. (this is not an option)
The thought I had was to have the physical connection land on the PIX and somehow configure it as a bridge, but I'm not really sure *how* to do that!
Any help greatfully appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Actually No, since it is supported only from 7.x version of Pix OS and this one will not run on 501 box since it is a small one :-(
Unless there is an ip schema change, I don't see anyway you can have the firewall there.
Cheers,
Rajesh
Unless there is an ip schema change, I don't see anyway you can have the firewall there.
Cheers,
Rajesh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys...
I knew about the bandwidth limitations, but that's not terribly important right now because we're limited to 2Mb/4Mb burstable on our current connection anyway.
This is a small box that I recovered from the old setup (replaced with 515FEs) and was hoping to re-use it for something useful.
Thanks anyway for your help!
I knew about the bandwidth limitations, but that's not terribly important right now because we're limited to 2Mb/4Mb burstable on our current connection anyway.
This is a small box that I recovered from the old setup (replaced with 515FEs) and was hoping to re-use it for something useful.
Thanks anyway for your help!
The 515 or bigger running 7.x, or the ASA5500 does provide a L2 "drop in" mode
ASKER
Thanks lrmoore,
That's kind of what I'm thinking... to see if I can't "borrow" two interfaces off one of the 515s and try to sort it that way. Not sure yet if I can.
That's kind of what I'm thinking... to see if I can't "borrow" two interfaces off one of the 515s and try to sort it that way. Not sure yet if I can.
You might be in luck if you set up a new context and those two interfaces are'nt being used. There may be some restrictions on running in both L3 and L2 modes, even if they are in different contexts.
You could potentially also apply /30 addresses to each of the interfaces ( it woudl eat 2 of your addresses ) but I have done this with other machines running 6.3 code to keep them in the same Ip space and just confgure them kind of like routed interfaces.
ASKER
Thanks for the idea prueconsulting, unfortunately, I don't control the address space. We could, ostensibly, purchase a /30 from them, but with what we're already paying, I don't think the boss is gonna go for it!!
There are several ways to do it but unfortunately it will all boil down to ip schema change.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Thanks Rajesh,
That much I had assumed unless, of course, I could put the FW into transparent mode.
Too bad the 501 doesn't allow it. :-(
That much I had assumed unless, of course, I could put the FW into transparent mode.
Too bad the 501 doesn't allow it. :-(
Its a little old and going to be retired soon as well since comparable models in Cisco's new series have arrived in the market ASA 5505.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Hmm... well, let's change the direction of this question a little bit then...
Can you guys tell me what is the simplest, least expensive FW that I can put in bridge/transparent mode?
Thanks!
Can you guys tell me what is the simplest, least expensive FW that I can put in bridge/transparent mode?
Thanks!
That is a little easy. Comparable to Cisco's PIX 501, there is a Juniper firewall which infact gives more for the money you pay. NS5gt. Checkout that at www.juniper.net
Cisco PIX -> Around 600 dollars for 10 user license
Juniper NS5gt -> Around 700 dollars for 10 user license.
In this 5gt, you get transparent mode, Deep Inspection (which is Intrusion Prevention). A wonderful product for the money.
Cheers,
Rajesh
Cisco PIX -> Around 600 dollars for 10 user license
Juniper NS5gt -> Around 700 dollars for 10 user license.
In this 5gt, you get transparent mode, Deep Inspection (which is Intrusion Prevention). A wonderful product for the money.
Cheers,
Rajesh
ASKER
Thanks Rajesh, I'll definitely have a look at it!
To be honest, I've only just started working with Pix - I've always been a Checkpoint person for FWs.
To be honest, I've only just started working with Pix - I've always been a Checkpoint person for FWs.
ASA 5505 is street priced around 450.00 for a 10 user license.
Learning wise you would definitely feel easy with the Juniper Netscreen firewall. I'm really liking it now.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
No ideas of how I could do it on a 501? It's all I've got to work with right now...