Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco PIX 501 in "bridge mode"?

Posted on 2006-10-20
18
Medium Priority
?
978 Views
Last Modified: 2013-11-16

Hi all,

Does anyone know how I can configure a 501 as a bridge to simply FW all incoming traffic without impacting our IP addressing scheme? Here's a bit of detail about our setup:

We're in a hosting centre and have a /28. We're connected to their layer3 switch and traffic is routed in that way. I'm at a bit of a loss as to how I can set a FW up to filter all traffic coming into my /28 without changing any of my IP addresses. (this is not an option)

The thought I had was to have the physical connection land on the PIX and somehow configure it as a bridge, but I'm not really sure *how* to do that!

Any help greatfully appreciated!
0
Comment
Question by:trustive
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
18 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 1200 total points
ID: 17772333
If it had been a high end model then you could have the 'transparent mode' operation (stealth firewall) with 7.x code but this code is not supported on PIX 501 device.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17772358
Thanks Rajesh...

No ideas of how I could do it on a 501? It's all I've got to work with right now...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17772718
Actually No, since it is supported only from 7.x version of Pix OS and this one will not run on 501 box since it is a small one :-(

Unless there is an ip schema change, I don't see anyway you can have the firewall there.

Cheers,
Rajesh
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 17772742
Agree with Rajesh.
No can do with 501 my friend. Sorry.
You can put one of the /28 IP's on the PIX outside and put private IP's on your systems and the PIX inside and route through it.
It would require changing all the IP addresses, but you can re-map them to the same public IP on the PIX.
You do know that the 501 is limited to 4Mb throughput, don't you? It is a soho box not designed for commercial or data center use..
0
 

Author Comment

by:trustive
ID: 17772781
Thanks guys...

I knew about the bandwidth limitations, but that's not terribly important right now because we're limited to 2Mb/4Mb burstable on our current connection anyway.

This is a small box that I recovered from the old setup (replaced with 515FEs) and was hoping to re-use it for something useful.

Thanks anyway for your help!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17772865
The 515 or bigger running 7.x, or the ASA5500 does provide a L2 "drop in" mode
0
 

Author Comment

by:trustive
ID: 17772896
Thanks lrmoore,

That's kind of what I'm thinking... to see if I can't "borrow" two interfaces off one of the 515s and try to sort it that way. Not sure yet if I can.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17773110
You might be in luck if you set up a new context and those two interfaces are'nt being used. There may be some restrictions on running in both L3 and L2 modes, even if they are in different contexts.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17775889
You could potentially also apply /30 addresses to each of the interfaces ( it woudl eat 2 of your addresses ) but I have done this with other machines running 6.3 code to keep them in the same Ip space and just confgure them kind of like routed interfaces.

0
 

Author Comment

by:trustive
ID: 17787070
Thanks for the idea prueconsulting, unfortunately, I don't control the address space. We could, ostensibly, purchase a /30 from them, but with what we're already paying, I don't think the boss is gonna go for it!!

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17787367
There are several ways to do it but unfortunately it will all boil down to ip schema change.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17787403
Thanks Rajesh,

That much I had assumed unless, of course, I could put the FW into transparent mode.

Too bad the 501 doesn't allow it. :-(
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17788553
Its a little old and going to be retired soon as well since comparable models in Cisco's new series have arrived in the market ASA 5505.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17840434
Hmm... well, let's change the direction of this question a little bit then...

Can you guys tell me what is the simplest, least expensive FW that I can put in bridge/transparent mode?

Thanks!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17840508
That is a little easy. Comparable to Cisco's PIX 501, there is a Juniper firewall which infact gives more for the money you pay. NS5gt. Checkout that at www.juniper.net

Cisco PIX -> Around 600 dollars for 10 user license
Juniper NS5gt -> Around 700 dollars for 10 user license.

In this 5gt, you get transparent mode, Deep Inspection (which is Intrusion Prevention). A wonderful product for the money.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17840514
Thanks Rajesh, I'll definitely have a look at it!

To be honest, I've only just started working with Pix - I've always been a Checkpoint person for FWs.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17841290
ASA 5505 is street priced around 450.00 for a 10 user license.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17841466
Learning wise you would definitely feel easy with the Juniper Netscreen firewall. I'm really liking it now.

Cheers,
Rajesh
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question