Where does the PIX fit into our network?

[StockcarsRus]

I will apologize before I start, I am a definate "newbie" and can use all the help that you may provide.

We currently have our main office and two branches. The main office is where all of the network equipment resides. We are using a T1 line and PVC's from our branches and the branches are setup with ppp with bridges to the main office. We have a router, csu/dsu at each location. We would like to add a pix into the scenario. We also have 2 employees that connect from home. I guess I don't know if we need to get a pix for each home user, and a pix and additional routers for main office and branch. How does it all fit together?

Thanks

 

[yizhar]

HI.

This scenario is a bit more complex then it seems.
You will either need:
A new line to the ISP (not the same line used for branch office connections), and a single pix firewall at main office.
OR:
A pix for main office, and pix for each branch office.

My advice is to contact the Cisco pre-sale department or a dealer (or independant consultant) to help you with the design, specific to your scenario and needs.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[routerman]

You mention PVC's over the T1, are you running frame relay or ATM? If its frame then there may be a way to do this without purchasing an additional circuit.

 

[StockcarsRus]

We are using frame relay.

 

[routerman]

Ok, in that case one way you can do this is with one PIX, an additional router such as a 1700 series a serial cross over cable and a spare WAN port on your existing router.

If you can get an Internet connection from your frame provider on you existing frame circuit and you have sufficient bandwidth on the frame access circuit to accomodate the additional Internet traffic, you can switch the Internet PVC through your main router to the new one across the serial cross over cable.

The PIX then sits between the new router and your LAN. This is a common application that saves you buying additional access circuits.

Would be easier with a diagram, but I'm sure your provider would understand what I'm trying to descibe!

 

[StockcarsRus]

Thanks for the information. I have added additional information as I have figured it out. I hope that your scenario will "fit in"

Main office:

Cisco 2600 Router

S1 connected to Port 2 of csu/dsu (v.35 adapter)
S2 connected to Port 1 of csu/dsu
10/100 eth connected to our switch
DSX-1 on back of csu/dsu connected to our PBX

Long distance, Internet, and Private Network Data all go out over the T1


Thanks so much for any additional comments

 

[routerman]

What do you mean by >long distance
Is this a voice link over the router?

Does the 2600 have any spare slots?

 

[StockcarsRus]

The router has no spare slots. The T1 has been split up so that the internet, private frame and long distance go over it? The connection for the phone system comes off of the csu/dsu not the router. But I know that the long distance goes over the T1 (Worldcom) and they are our ISP as well. I am sure that this is not much help. I was not here unfortunately when this was all setup.

My boss also wanted to have the possibility of going wireless for our internet service, instead of over the T1?

 

[routerman]

If you have an existing Internet connection over the frame what does this terminate on? Do you already have a firewall that you want to replace with a PIX?

 

[StockcarsRus]

They are using the router firewall software.

 

[yizhar]

HI.

> S1 connected to Port 2 of csu/dsu (v.35 adapter)
> S2 connected to Port 1 of csu/dsu
I'm not sure that I got it right, but if you have 2 phisical WAN connections (one to ISP and the other to branches), then I think that the best option for you is to purchase additional router then one router will connect to branches (inside of pix) and the other will connect to ISP (outside of pix).


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bwilliam13]

Maybe no one has thought of this already....

But if all you want to do is add some security to your setup--which is what I'm reading in between the lines--then you don't need any additional routers or switches.

All you need is some sort of firewall.

You simply put the firewall in-between your internet router and the rest of the internet. That configuration is definitely possible, and is documented on Cisco's site as a supported configuration if you go the PIX route. Downside is you cannot use NAT. You must let your public IP addresses pass through the PIX without being translated...but you can still filter any/all traffic coming in/going out over that connection.

Outside of that, you'd have to change the architecture in a major way. Unfortunately, you have all your branch offices being routed directly to an internet router--which in this day and age is a big no-no...so every host in effect is on the public internet. The ideal situation is to have all your branches' connections converge at one central router INSIDE your network, that router connects to a firewall, then the firewall connects to your internet router. I can expound more if you want.

 

[StockcarsRus]

Thanks for the comments bwilliam. So would it make sense to keep the router configuration that they all converge on now, and add another router for the internet. My boss wants to switch to wireless for that. The pix would then be between the internal router and the external? Sorry for being such a loser with this stuff, but I am from the programming world. Thanks so much.

 

[bwilliam13]

You've got the concept. However, it will be somewhat difficult technically if you've never done it before. I'd go to Cisco's site and look at some of their examples...they have some pretty detailed pictures of what you want to do. If you want me to, I will find some online examples for you.

 

[StockcarsRus]

Yes, if you have time, that would be great! I am trying to cram my way through a Pix book (the size of a phone book). Some online examples would help tremendously.

Thanks

Debbie

 

[bwilliam13]

Well, I may have told you something inaccurate.

As of PIX OS version 6.3, it supports OSPF routing...which is dynamic. So, you can actually put your PIX outside of your internet firewall if you want, and it will route necessary traffic wherever it needs to go if necessary, assuming you have the configuration correct.

Anyway, take a look at this whole page:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm