Cisco PIX DMZ configuration for bloomberg network

marceloNYC
marceloNYC used Ask the Experts™
on
Hello Experts:


    I have a problem that I want to fix ASAP. The network I was given to administer has a PIX firewall 515e. It is built with a DMZ area where I want to put the Bloomberg network. As of right now I have to plug it into the LAN and it is not working as we wish. For the ones that know how Bloomberg works it has a set of networks that you can access, you have these static routes that you can add to the the client workstation---that way if one network is not available you can go the next.

    Example:


    bloomberg routers=======================> DMZ


    WAN IP for Bloomberg IP for Bloomberg routers in our site

    208.134.x.x =========================== 10.3.158.46

    205.183.x.x ===========================10.3.158.47

    199.105.x.x ============================10.3.158.48

    199.105.x.x ===========================10.3.158.49

    69.184.x.x===============================10.3.158.50


    Bloomberg has routers that take you to the their network not through the Internet; it's a private network.If someone has work on this and has made it work I need to learn this please. Cheers, M
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
hi
I would strongly advise you to modify this Q to remove the actual public ips as they are a vendors and you could be held responsible if they were compromised - just replace part of the address with xs etc.

marceloNYCMiddle-Tier Administrator

Author

Commented:
Okay sorry guys it won't happen again. M
marceloNYCMiddle-Tier Administrator

Author

Commented:
Is my question clear? I am concern now as to why no one has said anything.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
hi Marcelo

I am not familiar with the Bloomberg scenario you posted - I just commented to advise of the public ip change.  However - if you can provide further details on what you wish to accomplish I may be able to assist

thanks
marceloNYCMiddle-Tier Administrator

Author

Commented:
Hello Nodisco:

Well what happens is there is a private network to Bloomberg. They have lease lines at the site and routers which they provide. We give them IP addresses that are local to our network. I usually add statics routes in the local machines that take them there. My project is to make this work without the static routes in the workstations and have the Bloomberg network plugged in the DMZ. Is important that the configuration of the PIX is making sure that if a Client/Workstation loses connectivity with one IP address it goes to the next available. I don't see this done with the PIX firewall. I want to know at least if it can be done and please comfirm that you fully understand what I what to do. Also the network does not have layer 3 switches. So as it is right now you have the Workstations (users)  switch layer2  pixfirewall, the bloomberg router is now plugged in to the layer 2 switch. We are pointing at the one ip address as the only gateway to bloomberg. So thats it I hope.  M  

Commented:
Hi

<< I usually add statics routes in the local machines that take them there
Do you mean you put routes on the local machines to say if you for example want to hit 208.134.x.x you use the local ip of the bloomberg router?
<<My project is to make this work without the static routes in the workstations and have the Bloomberg network plugged in the DMZ.
Why do you wish to take out the static routes and why put it in the DMZ?  I am assuming because 1 you want your network device to handle the "routing" per say and 2 you want to secure the Bloomberg network in the DMZ for security purposes - that you can control access to it from the PIX.
<<Is important that the configuration of the PIX is making sure that if a Client/Workstation loses connectivity with one IP address it goes to the next available.
When you send traffic from one interface on a PIX to another (in this case from LAN to DMZ) you create a translation in the xlate table.  I don't know how you would get the PIX to change direction of the traffic to a new host if one is unavailable.  The PIX isn't going to know the host is unavailable as its simply passing the request to the DMZ - as long as the DMZ is up (ie that its plugged into something) the PIX has no way of knowing if the next hop is up.

In terms of what you want to do here - you can put the bloomberg network into the DMZ, give the routers DMZ ip addresses, setup nat to allow the LAN access the bloomberg network.  I have never heard of Bloomberg networks so can only advise you on the PIX end of things.

cheers

marceloNYCMiddle-Tier Administrator

Author

Commented:
Dear Nodisco:

Yes I route add in the local machine of the traders the static routes like this


    208.134.x.x ======================Gtwy==== 10.3.158.46

    205.183.x.x ======================GTWY====10.3.158.46

    199.105.x.x =======================GTWY=====10.3.158.46

    199.105.x.x ======================GTWY=====10.3.158.46

As of right now that is how is working route add 0.0.0.0 mask 0.0.0.0 110.3.158.46. So as you can see and tell there is the one gateway  to the bloomberg network. M
marceloNYCMiddle-Tier Administrator

Author

Commented:
dear  Nodisco:


 
"I don't know how you would get the PIX to change direction of the traffic to a new host if one is unavailable.  The PIX isn't going to know the host is unavailable as its simply passing the request to the DMZ - as long as the DMZ is up (ie that its plugged into something) the PIX has no way of knowing if the next hop is up."

I imagine they use a RIP network that redirects the users connection or some protocol of that sort. They have a router network at the site. So after the 10.3.158.46 it routes to bloomberg. M

Commented:
If the Bloomberg device on 10.3.158.46 is the one that handles the *failover* then you should have no issues.  You can move the devices into the DMZ and set the DMZ int as your default gateway - create a nat translation for the inside hosts to access the Bloomberg hosts( or entire DMZ ) - my point was just that the PIX will not be able to tell you a host has gone down and then reroute to another.

marceloNYCMiddle-Tier Administrator

Author

Commented:
What does the rule looks like from the 192.168.x.x LAN network look like to  the 10.3.158.46 DMZ network. I want all the PCs from the LAN to be able to ping that IP address. Many thanks, M
marceloNYCMiddle-Tier Administrator

Author

Commented:
I can do it nevermind, I will do it next week,  will give the points then. Is that okay nodisco? Many thanks, M
Commented:
good job.  fyi - you can do it 2 ways realistically - a policy nat or static translation.

e.g.

if the dmz is 10.3.0.0 and the lan is 192.168.x.x

static (inside,dmz) 192.168.x.x 192.168.x.x netmask 255.255.0.0
this will translate all 192.168.x.x/16 hosts to access resources in the dmz

or
access-list nonat permit ip 192.168.x.x 255.255.0.0 10.3.0.0 255.255.0.0
nat (inside) 0 access-list nonat

This will nat all hosts that match that access-list to their same host address (nat0) - naturally this will allow all traffic but you can tailor it to just allow icmp, telnet etc

hth
marceloNYCMiddle-Tier Administrator

Author

Commented:
By the way this the solution provided by Mr nodisco:


access-list nonat permit ip 192.168.x.x 255.255.0.0 10.3.0.0 255.255.0.0
nat (inside) 0 access-list nonat

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial