Multi firewall network setup.

We just replaced out PIX with an ASA. We now have need for an isolated web server and were planning on using the DMZ on the ASA for it. License says we can't, sooo.... can someone recommend a way we might be able to isolate the web server by utilizing the old PIX? It needs to be able to talk to our SQL server and LDAP servers inside the LAN, but that's the only requirement.

Thanks for any advice!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Why not just create a separate subnet for the webserver and connect that to the pix internal side (which would be reconfigured for the new subnet), and connect the pix external side to the internal ASA network?  ACLs and routing (or NAT, if the pix insists) should be able to handle the rest for you.

It might be a better idea to connect the PIX to the router outside the ASA, just so that you will have more margin for configuration errors. Then just add rules in the PUX to access the network behind the PIX from behind your new ASA. Add a route to the DMZ network in the ASA via the PIX  (and disable nat if you want).
or it might be a better idea to upgrade your ASA 5505 to a security license its not really expensive and using your old PIX will only make things more complex than it should be.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

dacITAuthor Commented:
I agree it would be better to update the license, but the bosses are not happy with the cost of that for various reasons. Long term we'll do that, but I need to work with teh existing setup to make sure it's as secure as possible. I think the separate subnet and NAT setup that The-Captain suggested might be our best bet.
Well I am pretty certain that you´ll be in trouble with going for a setup like that with a thing called hairpinning. If the setup is as I read your normal clients will be on the outside of the PIX with Gateway pointing to the ASA and then they will never be able to get TCP to the server behind the PIX due to session tracking.

I´d say to my bosses to pay the 700$ the license cost.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dacITAuthor Commented:
Ah. Hadn't thought of that.
dacITAuthor Commented:
You were right. We are going to have to do it differently. Thanks for the detailed description of the impending problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.