Create DMZ with PIX 501

Posted on 2007-11-21
Medium Priority
Last Modified: 2008-02-01
I am trying to create a DMZ zone with PIX 501 firewall and a netgear switch. I have Verizon FIOS with one public IP address. The outside interface of the firewall is connected to FIOS demarc and the inside interface has a LAN address rabge of 192.168.1.x
ip address outside
ip address inside
The Netgear switch (acctually it a wireless router but im only using as a switch) is connected to the firewall inside LAN port. The netgear IP range is 10.10.111.x What i would like to do is have a web server on the Netgear (DMZ) switch with an IP address of
Question by:Mikeyb19ave
  • 2
  • 2
LVL 25

Expert Comment

ID: 20340888
First of all, I am extremely jealous of you that you have Verizon's FIOS available to you.

Second, as I'm sure you know the PIX 501 will only support one subnet on each interface.  If you don't need to use the wireless portion on the router, I'd turn it off, if you can.  Plug the wan port into the same subnet as the PIX inside interface, then move the web server to the switch (or inside of the netgear router) side.  Give the router a static IP.  Then forward the ports on the PIX to the router ip that for port 80/443.  Do the mapping on the netgear as well.  The only other option I can think of is swap the hosts around.  Put the web server in between teh pix and the router so you don't double NAT the static mapping, but double-NAT the clients.  If that works, then you can still use the wireless ability of the router if you wish.

I can't guarantee this will work as there is essentially a double-NAT happening here and I've never done that before.  However logically speaking that should.  If not, then you should either swap your 501 out for an ASA 5505 (can assign different ports to a different VLAN, then just need a second switch).  The 5505 route is the way I'd go personally.

Author Comment

ID: 20361856
I have set this up just as you suggested... To test I have attached a laptop to the Netgear subnet... I am able to browse the internet and also able to ping host ip address's on the Pix subnet (192.168.1.x)...I am also able to ping the outside interface of the Netgear Roiuter ( from the Pix Subnet... I am unable to ping or telnet via the port i opened for test (375) the inside subnet of the Netgear router (10.10.111.x)..  
LVL 25

Accepted Solution

Cyclops3590 earned 1000 total points
ID: 20362423
first, I just want to verify which way you set up

Internet <--pix--> <--netgear-->

also when you say "unable to ping or telnet via port i opened for test...", where are you pinging to.  You should be able to ping from the to the 192 network.  You most likely won't be able to ping from the 192 to 10 network.  However if you telnet to the port that is mapped, it should work.

However if you have your client behind the netgear, I would put the server on the 192 network and your clients behind the netgear

Author Comment

ID: 20362545
ok... i see what your saying... it does work when the clients are behind the netgear... Thanks for help

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question