DotNetRules
asked on
Cisco 1801 and PIX 506E Deployment Suggestions/Recommendations
Hi all.
We've recently purchased a 1801 and PIX 506E. I've configured the router with several VLANs however I'm a little confused as to how to deploy the 506E based on page 4 of the installation guide. The guide says deployment with a router should look something like this:
Network PCs -> Switch -> PIX 506E -> Router -> Internet
That being the case then I would need a PIX 506E for every VLAN, is that right? or is there a better way?
Cheers
Paul
We've recently purchased a 1801 and PIX 506E. I've configured the router with several VLANs however I'm a little confused as to how to deploy the 506E based on page 4 of the installation guide. The guide says deployment with a router should look something like this:
Network PCs -> Switch -> PIX 506E -> Router -> Internet
That being the case then I would need a PIX 506E for every VLAN, is that right? or is there a better way?
Cheers
Paul
Hi the diagram needs to look like this if you want multiple VLANs...
Network PCs -> Switch -> Router -> PIX 506E -> Router -> Internet
Note the second router inside the firewall. It will allow (or deny as desired) communications between vlans. The external router provides only routing and connection to the ISP.
WGhen
Network PCs -> Switch -> Router -> PIX 506E -> Router -> Internet
Note the second router inside the firewall. It will allow (or deny as desired) communications between vlans. The external router provides only routing and connection to the ISP.
WGhen
ASKER
We have a new internet feed called BDSL which is kind of like Ethernet (i think) as the modem is seen as a UNC type device. Our telco recommended the hardware based on our requirements but they aren't offering any advice or support for the configuration (wish I knew that in advance).
All I know about the internet feed is that I don't need to configure anything on the UNC type device, I can simply plug in my notebook, set a static IP on the same subnet and I can browse the internet, no ISP settings required. The ISP have provided me with a public static IP for the device.
Our requirements are:
1. We want to host a few applications on our internal IIS servers (ASP.Net, WebServices and .Net Remoting).
2. We want the ability to place priority on certain services.
3. I was told the application servers (IIS and SQL2005) should be on a separate VLAN.
4. Possibly VOIP down the track but this would relate to point 2.
I mentioned earlier we have several VLANs, well not really, I was experimenting a little. We have around 30 client PC on our network and I thought it would be a good time to partition the LAN by department, so having the ability to support more than 2 VLANs is not important, more of a 'nice to have'.
Today I managed to connect the 1801 router to the UNC device, configured NAT to point to our internal servers and now I can view sites on our IIS server etc, again experimenting more than anything.
Hope this helps.
All I know about the internet feed is that I don't need to configure anything on the UNC type device, I can simply plug in my notebook, set a static IP on the same subnet and I can browse the internet, no ISP settings required. The ISP have provided me with a public static IP for the device.
Our requirements are:
1. We want to host a few applications on our internal IIS servers (ASP.Net, WebServices and .Net Remoting).
2. We want the ability to place priority on certain services.
3. I was told the application servers (IIS and SQL2005) should be on a separate VLAN.
4. Possibly VOIP down the track but this would relate to point 2.
I mentioned earlier we have several VLANs, well not really, I was experimenting a little. We have around 30 client PC on our network and I thought it would be a good time to partition the LAN by department, so having the ability to support more than 2 VLANs is not important, more of a 'nice to have'.
Today I managed to connect the 1801 router to the UNC device, configured NAT to point to our internal servers and now I can view sites on our IIS server etc, again experimenting more than anything.
Hope this helps.
With an Ethernet feed, there is little value in running both devices. For your applications, the PIX may be better suited of the two products. Assign the public IP to the outside interface of the PIX. The PDM GUI makes it quite simple to use the PIX.
It will also support a vlan interface to create your DMZ for your publicly accessible servers. The question for you is: Can your IIS and SQL server stand alone without requirement for being joined to the AD Domain? If yes, then a DMZ will work. If not, then you don't really need a DMZ or VLAN's. does your LAN Switch support VLAN's, too?
It will also support a vlan interface to create your DMZ for your publicly accessible servers. The question for you is: Can your IIS and SQL server stand alone without requirement for being joined to the AD Domain? If yes, then a DMZ will work. If not, then you don't really need a DMZ or VLAN's. does your LAN Switch support VLAN's, too?
ASKER
I just remembered something.... The internet feed is 3Mb and we can take it to 6Mb, we may in a year or two bring another feed into the building and dedicate it to VOIP only and plug in another 1801 , again this was recommended by the telco and they also talked about binding the two feeds but I think not.
Cheers
Cheers
ASKER
Irmoore,
Our LAN switch doesn't support VLANs.
Our IIS, SQL Servers and PCs are on the same LAN/subnet but I was told the servers should be on a different VLAN (does that sound correct?).
Would it be possible (ok practise) to do this:
Network PCs -> Switch(non vlan) -> 1801 Router -> PIX 506E -> Internet
Our LAN switch doesn't support VLANs.
Our IIS, SQL Servers and PCs are on the same LAN/subnet but I was told the servers should be on a different VLAN (does that sound correct?).
Would it be possible (ok practise) to do this:
Network PCs -> Switch(non vlan) -> 1801 Router -> PIX 506E -> Internet
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yuh, you'd be building a physical lan segment then, instead of a Virtual Lan (VLAN). The old way.
WGhen
WGhen
ASKER
Ok based on that configuration, how about this...
On the 1801 create a couple of VLANs, setup some rules on the 506E to route traffic to the VLAN IP addresses on the 1801 as required. Would that work?
On the 1801 create a couple of VLANs, setup some rules on the 506E to route traffic to the VLAN IP addresses on the 1801 as required. Would that work?
Normally, the Pix forwards traffic inward on one interface on a common VLAN where a router then moves it to the right VLAN interface. The router has a physical interface for each vlan.
Also the little diagrams above are conceptual, and need not be physically connected that way. A switch with multiple VLANs becomes the center of the physical connections, and could go something like this...
Internal Devices <---vlan 5 ----> |--------------------|
Internal Devices <---vlan 10 --> | Switch <----> | -- vlan 666 ---> External Router
Internal Router <---vlan 1 ----> | | -- vlan 666 ---> Pix
|______________|
The internal router routes VLANs 1,5 and 10. Switch has ports for VLANs 1,5,10 and 666. 666 is not routed.
WGhen
Also the little diagrams above are conceptual, and need not be physically connected that way. A switch with multiple VLANs becomes the center of the physical connections, and could go something like this...
Internal Devices <---vlan 5 ----> |--------------------|
Internal Devices <---vlan 10 --> | Switch <----> | -- vlan 666 ---> External Router
Internal Router <---vlan 1 ----> | | -- vlan 666 ---> Pix
|______________|
The internal router routes VLANs 1,5 and 10. Switch has ports for VLANs 1,5,10 and 666. 666 is not routed.
WGhen
ASKER
WGhen,
So in your diagram the switch could be my 1801?
So in your diagram the switch could be my 1801?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The PIX 506e can only support 2 vlans on either interface. If you have more than that, it may be time to rethink your network. What is the purpose of the VLAN's? Do they need to communicate between them? Do you have VOICE and Data vlans that can stay separated?
VLAN's are easy on the router using sub-interfaces, but if you're using this router as a T1 connector, then the PIX will be between the router and the vlan switch and now you need to think of perhaps a L3 switch inside that would only require one vlan connected to the PIX and will route between them without the pix ever seeing the vlan data or inter-vlan traffic.