• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 264
  • Last Modified:

Small Network Question

If I have a Cisco router 2800 series and then a PIX firewall and then the internal network.  Could I put a layer 3 switch in between the router and pix to then use the pix and behind for the internal network and then run an access point with a public ip for people to only have access to the internet?  
0
Jack_son_
Asked:
Jack_son_
  • 5
  • 4
  • 2
  • +2
1 Solution
 
RPPreacherCommented:
Short answer -- yes.

Longer answer

Router -- Switch -- PIX -- Internal
                   |
                  AP

The AP needs to function as a DHCP server assigning DNS so that people connecting to the AP can actually surf.

The switch does not need to be L3.

You could also just put another ethernet port on the 2800 so it would look like this

Router -- PIX -- Internal
     |
    AP
0
 
Jack_son_Author Commented:
Ok, would this need to run thru vlan's thru the switch?  

Or if just running thru the cisco 2800, would it be setup on one of the inside interfaces?
0
 
Ken BooneNetwork ConsultantCommented:
Or if you have an available interface on your pix you could set up a guest vlan that terminates into this 3rd interface on the PIX.  Configure the PIX to perform dhcp for this segment, and only allow this segment access to the itnernet.  Then you could put your AP in this guest vlan plus it would give you the ability to move hard ports over this vlan if needed.  For instance if you had a conf room or a guest area where someone wanted to plug in, simply change the vlan on the port to the guest vlan.

Having the wireless behind the firewall provides some additinal protection to the guest users as well.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
Jack_son_Author Commented:
The issue with the pix that we have is it cannot send and receive on the same interface.  I could not get that working or maybe I have something incorrect.

So plugging it in thru the router is more secure?  Obviously we would also encrypt the AP.
0
 
Jack_son_Author Commented:
Also, which interface on the router would work for the AP?
0
 
Ken BooneNetwork ConsultantCommented:
My thinking was use the PIX IF you had an available interface.
0
 
RPPreacherCommented:
>The issue with the pix that we have is it cannot send and receive on the same interface.

That shouldn't be an issue for what you describe unless you expect the AP users to access the internal network.
0
 
Jack_son_Author Commented:
so it should work so laptops can send and receive data to the internet?
0
 
RPPreacherCommented:
Yes.
0
 
Jack_son_Author Commented:
I tried and wasnt working for some reason
0
 
RPPreacherCommented:
You should probably open an EE question to help you troubleshoot that issue.  It's a bad idea to ask one question ("will this work") and turn it into another question.

Open another question, focus on your configuration, what type of troubleshooting you have done, include the configuration of the PIX and someone will be glad to help you.

Do you have any follow up question regarding the original post (network design)?
0
 
Istvan KalmarHead of IT Security Division Commented:
could you show us the router, pix, switch configs?
0
 
asdlkfCommented:
uh...

this would be WAY easier if you just want to provide "unsafe public wifi"

setup a vpn server in your router if you want to provide LAN access aswell;
put the client on the access point if you want all wireless users to access the LAN;
put the client on the end user computer if you want only authorized users to access the LAN;



vpn-ap.png
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 5
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now