Solved

Cisco PIX 501 in "bridge mode"?

Posted on 2006-10-20
18
944 Views
Last Modified: 2013-11-16

Hi all,

Does anyone know how I can configure a 501 as a bridge to simply FW all incoming traffic without impacting our IP addressing scheme? Here's a bit of detail about our setup:

We're in a hosting centre and have a /28. We're connected to their layer3 switch and traffic is routed in that way. I'm at a bit of a loss as to how I can set a FW up to filter all traffic coming into my /28 without changing any of my IP addresses. (this is not an option)

The thought I had was to have the physical connection land on the PIX and somehow configure it as a bridge, but I'm not really sure *how* to do that!

Any help greatfully appreciated!
0
Comment
Question by:trustive
  • 7
  • 6
  • 3
  • +1
18 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 300 total points
ID: 17772333
If it had been a high end model then you could have the 'transparent mode' operation (stealth firewall) with 7.x code but this code is not supported on PIX 501 device.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17772358
Thanks Rajesh...

No ideas of how I could do it on a 501? It's all I've got to work with right now...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17772718
Actually No, since it is supported only from 7.x version of Pix OS and this one will not run on 501 box since it is a small one :-(

Unless there is an ip schema change, I don't see anyway you can have the firewall there.

Cheers,
Rajesh
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 200 total points
ID: 17772742
Agree with Rajesh.
No can do with 501 my friend. Sorry.
You can put one of the /28 IP's on the PIX outside and put private IP's on your systems and the PIX inside and route through it.
It would require changing all the IP addresses, but you can re-map them to the same public IP on the PIX.
You do know that the 501 is limited to 4Mb throughput, don't you? It is a soho box not designed for commercial or data center use..
0
 

Author Comment

by:trustive
ID: 17772781
Thanks guys...

I knew about the bandwidth limitations, but that's not terribly important right now because we're limited to 2Mb/4Mb burstable on our current connection anyway.

This is a small box that I recovered from the old setup (replaced with 515FEs) and was hoping to re-use it for something useful.

Thanks anyway for your help!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17772865
The 515 or bigger running 7.x, or the ASA5500 does provide a L2 "drop in" mode
0
 

Author Comment

by:trustive
ID: 17772896
Thanks lrmoore,

That's kind of what I'm thinking... to see if I can't "borrow" two interfaces off one of the 515s and try to sort it that way. Not sure yet if I can.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17773110
You might be in luck if you set up a new context and those two interfaces are'nt being used. There may be some restrictions on running in both L3 and L2 modes, even if they are in different contexts.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17775889
You could potentially also apply /30 addresses to each of the interfaces ( it woudl eat 2 of your addresses ) but I have done this with other machines running 6.3 code to keep them in the same Ip space and just confgure them kind of like routed interfaces.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:trustive
ID: 17787070
Thanks for the idea prueconsulting, unfortunately, I don't control the address space. We could, ostensibly, purchase a /30 from them, but with what we're already paying, I don't think the boss is gonna go for it!!

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17787367
There are several ways to do it but unfortunately it will all boil down to ip schema change.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17787403
Thanks Rajesh,

That much I had assumed unless, of course, I could put the FW into transparent mode.

Too bad the 501 doesn't allow it. :-(
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17788553
Its a little old and going to be retired soon as well since comparable models in Cisco's new series have arrived in the market ASA 5505.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17840434
Hmm... well, let's change the direction of this question a little bit then...

Can you guys tell me what is the simplest, least expensive FW that I can put in bridge/transparent mode?

Thanks!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17840508
That is a little easy. Comparable to Cisco's PIX 501, there is a Juniper firewall which infact gives more for the money you pay. NS5gt. Checkout that at www.juniper.net

Cisco PIX -> Around 600 dollars for 10 user license
Juniper NS5gt -> Around 700 dollars for 10 user license.

In this 5gt, you get transparent mode, Deep Inspection (which is Intrusion Prevention). A wonderful product for the money.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17840514
Thanks Rajesh, I'll definitely have a look at it!

To be honest, I've only just started working with Pix - I've always been a Checkpoint person for FWs.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17841290
ASA 5505 is street priced around 450.00 for a 10 user license.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17841466
Learning wise you would definitely feel easy with the Juniper Netscreen firewall. I'm really liking it now.

Cheers,
Rajesh
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now