Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Two networks inside PIX

Status
Not open for further replies.
JMCColorado

JMCColorado

IS-IT--Management
Jul 3, 2002
10
US
I have a network inside a pix firewall and a DMZ outside the PIX. I need to add a COMPLETELY separate internal network inside the PIX. Is this as easy as installing a second "Inside" network card and going for it? What do I need to know? Do I have to buy another PIX?

Please help!

Thanks

Josh
 
Sort by date Sort by votes
There are a few factors here. If you have a PIX 520 or higher, you should be alright with installing another interface. If you have a PIX 515, it must be the PIX 515-UR to add an additional interface. However, intead of doing that, you could also stick a router in front of your pix which would allow for more expandabilty in the future. It really sounds like a router would be a better fit for your situation (given the limited information you have provided). Network Learning Inc
 
Upvote 0 Downvote
I would agree with Bootcamp on this one. Stick a low end Cisco 1600/1700 series router in front and use it to route traffic. It would seem to be a bit of a waste of PIX resources to do internal routing. It also depends on the connectivity to the two seperate networks, in the past I have even used a Linksys router to do the job. As with above we would need more information on where you are wanting to go with it.
 
Upvote 0 Downvote
I do have a router, a Cisco 2600 series router. What I have is a T-1 Coming in to a 2600 series router then going into a DMZ 10.0.0.0 network. Then a pix box providing dynamic NAT for internal address. I have a second line coming in owned by a customer, its a direct link to their site. We are going to house some servers for them on site here. So I need to keep their network COMPLETELY separate from ours. How can I do this?
 
Upvote 0 Downvote
You could do something like this if you have an extra router:

Router
|
PIX <-- Inside IP is 192.168.0.1
|
Network <-- Main network you don't want to share
192.168.0.0/24
|
Router <-- Has accesslist bound to it to it.
|
Network <-- New network
10.0.0.0/24

The access list on the router separting the two networks would look like this

interface ethernet0/1
description Connection to new LAN
ip address 10.0.0.1 255.255.255.0
access-group 101 out
!
access-list 101 description Keep 10 network away from 192
access-list 101 permit ip any host 192.168.0.1
access-list 101 deny ip any 192.168.0.0 255.255.255.0
access-list 101 permit ip any any

This should allow data to go across your network to the pix, but nowhere else on the network.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
146
kythri
kythri
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
73
quazimotto
quazimotto
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
93
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
115
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
181
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top