Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Advice needed on Double Layer Firewall

Status
Not open for further replies.
csdsc

csdsc

IS-IT--Management
May 26, 2001
13
0
0
GB
I have a PIX 515R which I use at home at present (on loan from work for last 1.5 years) I need a double layer Firewall (British MOD Request) so that I can use the Army mail encryption software on my clients so that we can receive restricted mail.
The first problem is I have a OWA server that is Exchange 2000 and Winblows 2000 and is obviously a AD server so therefore needs quite a few ports open from the DMZ to the 3 Internal AD servers and I need the internal clients to access there mail both internally using Outlook and externally using OWA.
The question is where would the best place to use the PIX be:
>>>>internet ---> PIX515R ----> OWA server ----> (some firewall that someone can recommend)----> Internal network.
or
>>>>internet ---> some firewall that someone can recommend ----> OWA server ----> PIX515R ----> Internal network.

and what Firewall would you recommend as I have to have two different firewalls in this configuration I am open to Linux suggestions.

Next question would it be more secure to use a pure web server in the DMZ (in place of exchange server) and use the exchange filter (.dll for OWA comunications)

next question I have two internet connections a static IP cable modem and a Leased line that has static IP's also is there a way to allow the pix to do load balancing (the PIX has three interfaces)

TIA
Sean Chambers
 
Sort by date Sort by votes
Sean,

I'd put the PIX on the internet facing connection and then run the other firewall internally. In terms of other FW platforms, does it need to be accredited? If so, your options are more limited. If not, take a look at smoothwall.org for a Linux solution and Wingate is pretty good if you want a W2k based box.

I'd move the exchange server inside the protected network and run a pure web server for OWA. However, I'd need to have a word with my mail specialist and get back to you on the exact techy bits for this.

Cheers,

Peter
 
Upvote 0 Downvote
I agree with hoinvip, I would use a pure webserver in the DMZ and allow only the webserver to talk to the internal exchange box.

Use ACLs to limit the traffic between the two of them.
 
Upvote 0 Downvote
For multiple inline firewalls like this, keep in mind the "norandomseq" option for your "nat" and "static" commands. It may save you some headaches.

This is from the Cisco site:

norandomseq - Do not randomize the TCP/IP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.

-gbiello
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
71
hairlessupportmonkey
hairlessupportmonkey
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
52
mcisar
mcisar
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
49
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top