how to DMZ with PIX501

chuku
chuku used Ask the Experts™
on
I know PIX501 doesn't have a built in DMZ support and wonder if anyone found a way to configure a secure enough DMZ like interface on a PIX501
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010
Commented:
Well, you only get inside and outside interfaces with the 501... but you can still create and publish services to the public internet.   However, the hosts servicing the public requests will sit on the inside network.   So I suppose the answer will depend upon what you consider 'secure'.    If you want a totaly seegregated DMZ with a traditional security level in between inside and outside, I think the 501 is the wrong device.

Commented:
If you've got more than one you could still create a DMZ.

You would have one external firewall and an internal firewall.  In between these two firewalls is your DMZ.

Its a more expensive way of doing things but if its your only option.  I know a few companies that operate this way so that they can have a different firewall vendor on the outside than on the inside, this way if a security vun is found in the outside firewall it is unlikley the same vun would be on the inside firewall.


| Internet |  ----  | Firewall (1) |   ----  | DMZ | ------  | Firewall (2) |



Commented:
Sorry missed the last leg off the little diagram

| Internet |  ----  | Firewall (1) |   ----  | DMZ | ------  | Firewall (2) |  -------  | Internal LAN |
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
@oldhamuk
an extra firewall for this site is not an option. thanks.

@MikeKane
I have a DR site with small LAN and the PIX and need to add wireless router (a simple $40 netgear). I want to put it out of the LAN, if I'll have to I will use a switch with PIX, ISP router and the wireless router connected to it. I do not care about security. all I need is provide WiFi access if one day this office will have to be used (personal laptops and smart phones)
Top Expert 2010

Commented:
If you want wifi access at this site and want to keep it outside of the PIX's inside network, then the normal solution would be to place it in a DMZ off the pix, or in a 2nd vlan on the inside of the PIX.   However, the 501 model does not support either of these solutions.  

I think you may need to look at getting a different device.  

There are many prosumer devices that can provide basic firewall, VPN termination, and multiple internal connections for guest wifi and internal lan.   You might consider looking into one of these.    (i.e. wrvs440N, airport extreme...).     IF you don't want to spend any money, even a real cheap consumer router running dd-WRT can accomplish this.   I use a setup like that at home on WRT.  It's my edge device, router, and I run 2 wifi networks on it as well.  1 for guests and 1 for my internal lan....

Commented:
If your looking to keep costs down and already have the access point and a spare PC hanging around you could install a linux based firewall or even something like SmoothWall and have a couple of NIC's in the PC.

Author

Commented:
MikeKane gave me the missing piece as PIX501 does not support DMZ
what I'll end up doing at this totally unused site that must keep cost as low as possible is using a basic switch with 3 legs: the Internet, PIX outside interface and Wifi router

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial