PIX Placement in Network ?

[snailworks]

I am a 'newbie' to PIX and have an issue as to where my PIX needs to be placed within our network. The original installer set it up in one manner and a consultant stated that it it wrong. With all of the reading I have done, I cannot seem to find a scenario or example that is similar to ours.

This is what I have.

-A main location with our mail & file servers has a T1 Frame with a pvc to our ISP.

-3 branch locations each on their own T1 frame. Their pvc's route all traffic to the main office to share the same Internet connection.

-All internal machines are private-IP'd (10.0.[0-3].xxx depending on the branch)

Currently, the T1 Frame with the Internet is connected to a Cisco 2600. The 2600 is supposed to separate the Internet and Local IP traffic. Local traffic is passed directly to the switch where all workstations and servers connect. Public traffic is sent thru the PIX before connecting to the same switch.

Something like this...
Internet
|
Branch 1 \ | /I-net -PIX \ /PCs
Branch 2 > frame cloud > 2600 -switch-mail
Branch 3 / \ Local / \FileSvr


Can the 2600 with it's two inside ports be set up to split WAN (Frame) and Internet traffic?

Is this where and how the PIX should be placed?

If so, does the scenario I listed above seem like it should work?

I really need some help on this. My knowledge on this is not enough to make a decision as to how to progress. Any and all suggestions are welcome???


Thanks in advance,
Gary

 

[yizhar]

HI.

It is similar to this:
thread35-432283

My answers are:
> Can the 2600 with it's two inside ports be set up to split WAN (Frame) and Internet traffic?
I'm not sure - I think it is possible but never done it and I don't recommend it - there is a security risk here for bypassing the firewall and such a configuration is dificult to manage and troubleshoot.

Use different lines for Internet traffic and for intersite links, and from there it is all much simplier.
You can choose between 2 similar options:
A. Use only 1 Ethernet interface on the 2600, connected to main office switch. The pix inside interface will connect to that switch also.
Default gateway of hosts on the main office will be the pix inside interface, and the servers will need static routes to point them to the remote subnets via 2600.
The advanate - if the 2600 fails, main office continue to have access to the Internet.
Disadvantage - some hosts in main office will need static routes.

B. Use 2 Etherenet int on the 2600. One will be connected to the main office switch. The second will be connected to the pix inside interface.
The pix will not be directly connected to the main office.
The default gateway in main office will be the 2600.
All traffic to the Internet (both from remote and main office) will go via the router to the pix.
Advantage - simplier routing for all hosts (everything goes to the 2600).
Disadvantage - more points of failure, and more load on the 2600.

In both cases the pix outside will be connected to a new router and from there to new modem or ADSL line to the ISP.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ccbootcamp]

Actually, both of those solutions are not very safe. You do not want to bring your WAN F.R. links into the same device as the one terminating your untrusted internet connection. What you want is another 2600 or equiv. box to setup in this manner:

untrusted 2600 <-> Pix <-> trusted 2600 (new)

You will terminate your internet connection to the untrusted 2600. You will terminate your WAN FR connections on your trusted 2600. The trusted 2600 will also connect to your switch in your Main office. Network Learning Inc

http://www.ccbootcamp.com

http://www.routerie.com