Solved

Cisco PIX 501 in "bridge mode"?

Posted on 2006-10-20
18
964 Views
Last Modified: 2013-11-16

Hi all,

Does anyone know how I can configure a 501 as a bridge to simply FW all incoming traffic without impacting our IP addressing scheme? Here's a bit of detail about our setup:

We're in a hosting centre and have a /28. We're connected to their layer3 switch and traffic is routed in that way. I'm at a bit of a loss as to how I can set a FW up to filter all traffic coming into my /28 without changing any of my IP addresses. (this is not an option)

The thought I had was to have the physical connection land on the PIX and somehow configure it as a bridge, but I'm not really sure *how* to do that!

Any help greatfully appreciated!
0
Comment
Question by:trustive
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
18 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 300 total points
ID: 17772333
If it had been a high end model then you could have the 'transparent mode' operation (stealth firewall) with 7.x code but this code is not supported on PIX 501 device.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17772358
Thanks Rajesh...

No ideas of how I could do it on a 501? It's all I've got to work with right now...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17772718
Actually No, since it is supported only from 7.x version of Pix OS and this one will not run on 501 box since it is a small one :-(

Unless there is an ip schema change, I don't see anyway you can have the firewall there.

Cheers,
Rajesh
0
Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 200 total points
ID: 17772742
Agree with Rajesh.
No can do with 501 my friend. Sorry.
You can put one of the /28 IP's on the PIX outside and put private IP's on your systems and the PIX inside and route through it.
It would require changing all the IP addresses, but you can re-map them to the same public IP on the PIX.
You do know that the 501 is limited to 4Mb throughput, don't you? It is a soho box not designed for commercial or data center use..
0
 

Author Comment

by:trustive
ID: 17772781
Thanks guys...

I knew about the bandwidth limitations, but that's not terribly important right now because we're limited to 2Mb/4Mb burstable on our current connection anyway.

This is a small box that I recovered from the old setup (replaced with 515FEs) and was hoping to re-use it for something useful.

Thanks anyway for your help!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17772865
The 515 or bigger running 7.x, or the ASA5500 does provide a L2 "drop in" mode
0
 

Author Comment

by:trustive
ID: 17772896
Thanks lrmoore,

That's kind of what I'm thinking... to see if I can't "borrow" two interfaces off one of the 515s and try to sort it that way. Not sure yet if I can.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17773110
You might be in luck if you set up a new context and those two interfaces are'nt being used. There may be some restrictions on running in both L3 and L2 modes, even if they are in different contexts.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17775889
You could potentially also apply /30 addresses to each of the interfaces ( it woudl eat 2 of your addresses ) but I have done this with other machines running 6.3 code to keep them in the same Ip space and just confgure them kind of like routed interfaces.

0
 

Author Comment

by:trustive
ID: 17787070
Thanks for the idea prueconsulting, unfortunately, I don't control the address space. We could, ostensibly, purchase a /30 from them, but with what we're already paying, I don't think the boss is gonna go for it!!

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17787367
There are several ways to do it but unfortunately it will all boil down to ip schema change.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17787403
Thanks Rajesh,

That much I had assumed unless, of course, I could put the FW into transparent mode.

Too bad the 501 doesn't allow it. :-(
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17788553
Its a little old and going to be retired soon as well since comparable models in Cisco's new series have arrived in the market ASA 5505.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17840434
Hmm... well, let's change the direction of this question a little bit then...

Can you guys tell me what is the simplest, least expensive FW that I can put in bridge/transparent mode?

Thanks!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17840508
That is a little easy. Comparable to Cisco's PIX 501, there is a Juniper firewall which infact gives more for the money you pay. NS5gt. Checkout that at www.juniper.net

Cisco PIX -> Around 600 dollars for 10 user license
Juniper NS5gt -> Around 700 dollars for 10 user license.

In this 5gt, you get transparent mode, Deep Inspection (which is Intrusion Prevention). A wonderful product for the money.

Cheers,
Rajesh
0
 

Author Comment

by:trustive
ID: 17840514
Thanks Rajesh, I'll definitely have a look at it!

To be honest, I've only just started working with Pix - I've always been a Checkpoint person for FWs.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17841290
ASA 5505 is street priced around 450.00 for a 10 user license.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17841466
Learning wise you would definitely feel easy with the Juniper Netscreen firewall. I'm really liking it now.

Cheers,
Rajesh
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VTP servers with 3650 switches 5 54
Cisco RV042G 4 26
Microwave IP VPN or Wireless Bridging 26 89
Cisco WAP551 and Guest Users 6 19
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question