Hi All,
I've been tasked with setting up a customer so that a group of 5 POS machines cannot access the internet but access local LAN resources. There are 5 other machines that need access to the internet and local LAN resources. I have a Pix 501, W2K3 Proliant ML350 Server, and a Cisco Catalyst 2960 switch to work with. I can change any of the configs, but I can't add any new hardware. I'd rather not do routing on the server unless I have to.
Since the 2960 isn't a layer 3 switch I can't do any layer 3 routing on the switch. The Pix 501 doesn't support VLANS.
The Pix's 1st inside interface is 192.168.1.1.
My idea was to assign the 5 POS PC's with a 192.168.2.x address via DHCP reservations from the W2K3 server. I would point those boxes to a default gateway of 192.168.2.1.
On the 2960 I was thinking of setting up a VLAN to segregate that traffic and have a trunk port going to a second interface on the Pix which would be addressed as 192.168.2.1.
Then on the Pix I could create the inside route routing the 192.168.2.x traffic to 192.168.1.1. An access list would prevent the 192.168.2.x traffic from going out the external interface and out to the internet.
Will this work? Any other suggestions?
Sounds like a test question huh?
Thanks in advance!
Jake
I've been tasked with setting up a customer so that a group of 5 POS machines cannot access the internet but access local LAN resources. There are 5 other machines that need access to the internet and local LAN resources. I have a Pix 501, W2K3 Proliant ML350 Server, and a Cisco Catalyst 2960 switch to work with. I can change any of the configs, but I can't add any new hardware. I'd rather not do routing on the server unless I have to.
Since the 2960 isn't a layer 3 switch I can't do any layer 3 routing on the switch. The Pix 501 doesn't support VLANS.
The Pix's 1st inside interface is 192.168.1.1.
My idea was to assign the 5 POS PC's with a 192.168.2.x address via DHCP reservations from the W2K3 server. I would point those boxes to a default gateway of 192.168.2.1.
On the 2960 I was thinking of setting up a VLAN to segregate that traffic and have a trunk port going to a second interface on the Pix which would be addressed as 192.168.2.1.
Then on the Pix I could create the inside route routing the 192.168.2.x traffic to 192.168.1.1. An access list would prevent the 192.168.2.x traffic from going out the external interface and out to the internet.
Will this work? Any other suggestions?
Sounds like a test question huh?
Thanks in advance!
Jake