Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1015
  • Last Modified:

Cisco PIX 501 in "bridge mode"?


Hi all,

Does anyone know how I can configure a 501 as a bridge to simply FW all incoming traffic without impacting our IP addressing scheme? Here's a bit of detail about our setup:

We're in a hosting centre and have a /28. We're connected to their layer3 switch and traffic is routed in that way. I'm at a bit of a loss as to how I can set a FW up to filter all traffic coming into my /28 without changing any of my IP addresses. (this is not an option)

The thought I had was to have the physical connection land on the PIX and somehow configure it as a bridge, but I'm not really sure *how* to do that!

Any help greatfully appreciated!
0
trustive
Asked:
trustive
  • 7
  • 6
  • 3
  • +1
2 Solutions
 
rsivanandanCommented:
If it had been a high end model then you could have the 'transparent mode' operation (stealth firewall) with 7.x code but this code is not supported on PIX 501 device.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

Cheers,
Rajesh
0
 
trustiveAuthor Commented:
Thanks Rajesh...

No ideas of how I could do it on a 501? It's all I've got to work with right now...
0
 
rsivanandanCommented:
Actually No, since it is supported only from 7.x version of Pix OS and this one will not run on 501 box since it is a small one :-(

Unless there is an ip schema change, I don't see anyway you can have the firewall there.

Cheers,
Rajesh
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
lrmooreCommented:
Agree with Rajesh.
No can do with 501 my friend. Sorry.
You can put one of the /28 IP's on the PIX outside and put private IP's on your systems and the PIX inside and route through it.
It would require changing all the IP addresses, but you can re-map them to the same public IP on the PIX.
You do know that the 501 is limited to 4Mb throughput, don't you? It is a soho box not designed for commercial or data center use..
0
 
trustiveAuthor Commented:
Thanks guys...

I knew about the bandwidth limitations, but that's not terribly important right now because we're limited to 2Mb/4Mb burstable on our current connection anyway.

This is a small box that I recovered from the old setup (replaced with 515FEs) and was hoping to re-use it for something useful.

Thanks anyway for your help!
0
 
lrmooreCommented:
The 515 or bigger running 7.x, or the ASA5500 does provide a L2 "drop in" mode
0
 
trustiveAuthor Commented:
Thanks lrmoore,

That's kind of what I'm thinking... to see if I can't "borrow" two interfaces off one of the 515s and try to sort it that way. Not sure yet if I can.
0
 
lrmooreCommented:
You might be in luck if you set up a new context and those two interfaces are'nt being used. There may be some restrictions on running in both L3 and L2 modes, even if they are in different contexts.
0
 
prueconsultingCommented:
You could potentially also apply /30 addresses to each of the interfaces ( it woudl eat 2 of your addresses ) but I have done this with other machines running 6.3 code to keep them in the same Ip space and just confgure them kind of like routed interfaces.

0
 
trustiveAuthor Commented:
Thanks for the idea prueconsulting, unfortunately, I don't control the address space. We could, ostensibly, purchase a /30 from them, but with what we're already paying, I don't think the boss is gonna go for it!!

0
 
rsivanandanCommented:
There are several ways to do it but unfortunately it will all boil down to ip schema change.

Cheers,
Rajesh
0
 
trustiveAuthor Commented:
Thanks Rajesh,

That much I had assumed unless, of course, I could put the FW into transparent mode.

Too bad the 501 doesn't allow it. :-(
0
 
rsivanandanCommented:
Its a little old and going to be retired soon as well since comparable models in Cisco's new series have arrived in the market ASA 5505.

Cheers,
Rajesh
0
 
trustiveAuthor Commented:
Hmm... well, let's change the direction of this question a little bit then...

Can you guys tell me what is the simplest, least expensive FW that I can put in bridge/transparent mode?

Thanks!
0
 
rsivanandanCommented:
That is a little easy. Comparable to Cisco's PIX 501, there is a Juniper firewall which infact gives more for the money you pay. NS5gt. Checkout that at www.juniper.net

Cisco PIX -> Around 600 dollars for 10 user license
Juniper NS5gt -> Around 700 dollars for 10 user license.

In this 5gt, you get transparent mode, Deep Inspection (which is Intrusion Prevention). A wonderful product for the money.

Cheers,
Rajesh
0
 
trustiveAuthor Commented:
Thanks Rajesh, I'll definitely have a look at it!

To be honest, I've only just started working with Pix - I've always been a Checkpoint person for FWs.
0
 
prueconsultingCommented:
ASA 5505 is street priced around 450.00 for a 10 user license.
0
 
rsivanandanCommented:
Learning wise you would definitely feel easy with the Juniper Netscreen firewall. I'm really liking it now.

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 7
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now