?
Solved

Multi firewall network setup.

Posted on 2010-04-02
7
Medium Priority
?
387 Views
Last Modified: 2012-05-09
We just replaced out PIX with an ASA. We now have need for an isolated web server and were planning on using the DMZ on the ASA for it. License says we can't, sooo.... can someone recommend a way we might be able to isolate the web server by utilizing the old PIX? It needs to be able to talk to our SQL server and LDAP servers inside the LAN, but that's the only requirement.

Thanks for any advice!
0
Comment
Question by:dacIT
7 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 29535919
Why not just create a separate subnet for the webserver and connect that to the pix internal side (which would be reconfigured for the new subnet), and connect the pix external side to the internal ASA network?  ACLs and routing (or NAT, if the pix insists) should be able to handle the rest for you.

Cheers,
-Jon
0
 
LVL 1

Expert Comment

by:kortsi
ID: 29546447
It might be a better idea to connect the PIX to the router outside the ASA, just so that you will have more margin for configuration errors. Then just add rules in the PUX to access the network behind the PIX from behind your new ASA. Add a route to the DMZ network in the ASA via the PIX  (and disable nat if you want).
0
 
LVL 9

Expert Comment

by:Donboo
ID: 29567571
or it might be a better idea to upgrade your ASA 5505 to a security license its not really expensive and using your old PIX will only make things more complex than it should be.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
LVL 7

Author Comment

by:dacIT
ID: 29571329
I agree it would be better to update the license, but the bosses are not happy with the cost of that for various reasons. Long term we'll do that, but I need to work with teh existing setup to make sure it's as secure as possible. I think the separate subnet and NAT setup that The-Captain suggested might be our best bet.
0
 
LVL 9

Accepted Solution

by:
Donboo earned 2000 total points
ID: 29575207
Well I am pretty certain that you´ll be in trouble with going for a setup like that with a thing called hairpinning. If the setup is as I read your normal clients will be on the outside of the PIX with Gateway pointing to the ASA and then they will never be able to get TCP to the server behind the PIX due to session tracking.

I´d say to my bosses to pay the 700$ the license cost.
0
 
LVL 7

Author Comment

by:dacIT
ID: 29576129
Ah. Hadn't thought of that.
0
 
LVL 7

Author Closing Comment

by:dacIT
ID: 32684260
You were right. We are going to have to do it differently. Thanks for the detailed description of the impending problem.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question