Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internal Firewall

Status
Not open for further replies.
jdl508

jdl508

Technical User
Apr 30, 2001
242
US
I am about to buy 2 pix 515's
setting up a 3 teired dmz
internet
app
corp
my question is instead of using 1 pix with multiple interfaces for dmz's we are using 2 pix each with 3 interfaces
heres the Question

is it better practice to have the 2nd pix(internal) plugged into the switch hanging off the firewall or directly into the 3rd firewall interface ie:

Internet router -> PIX1 -> dmz1switch -> pix2

OR

Internet router -> pix1 >int1 = dmz1switch /int2 = pix2 -> dmz2switch
Iknow I have posted something like this before but there is NO way my company will go with the easier single FW config so here goes nothing

:)
thanks
 
Sort by date Sort by votes
HI.

If you must put 2 pix devices in a row, then I suggest that only one of them will do NAT -
I think that pix1 connected to the internet should have nat disabled and using registered addresses for DMZ and internal pix2, and pix2 should NAT for internal users.

About the 2 options you mentioned, I don't know.

I think that pix2 can have 2 interfaces only, but pix1 should have 3 interfaces or better 4 and if you can go for a failover configuration and PIX515UR.

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
What's your reason for doing this rather than using multiple interfaces on one PIX?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
The reasoning behind this is we have a core software sys and this is the infrastructure 'they' recommend
i tried to explain to mgmt. that it would be easier and better to go with 1 525 with the 4 port interface
but they want to make sure the software company doesnt gripe about it so Im stuck and guess who gets to support / config this monster :)
For Yizhar:
Why would you go with nat only on pix2 i would think nat on pix1 because that has the only public ip (web server outside pix int etc.)?
thanks
 
Upvote 0 Downvote
HI.

The NAT design is specific to your needs,
all options are possible (NAT on each, NAT on one of them, no NAT at all).

Some multimedia, VPN and other applications might fail to work with NAT/PAT, and troubleshooting this in double nat is more dificult.

Another possible configuration is PAT on pix1 and NAT on pix2.

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
My suggestion, to get back to your original question, is I would use a switch (or a hub) between the PIX's. The reason for this troubleshooting. You will probably have problems with something communicating through the 2 pix's. At least initially, so a swithc or hub between the 2 will allow you to put a PC between the Pix's and troubleshoot down to one of the Pix's.

Wes Hegge
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
194
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
133
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
124
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
140
ChrisHirst
ChrisHirst
DataCenter23
  • Locked
  • Question
Cisco Firewall Help!
Replies
1
Views
104
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top