Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
gulamc

SETTING PIX BEHIND ANOTHER FIREWALL

Recommended Posts

Hi,

 

I have a situation where I need to setup a firewall before a PIX like this (OUTSDE - FW1 - PIX - DMZ/INSIDE). I am not an expert of PIX and need some assistance.

 

CURRENT SCENARIO

Customer has a PIX on their network with the following configuration:

 

ip address out publicip1 255.255.255.0

ip address inside 10.10.11.1 255.255.255.0

ip address DMZ_WWW 10.10.101 255.255.255.0

 

name 10.10.10.12 server1

name 10.10.11.12 server2

name 10.10.11.13 server3

name 10.10.11.14 server4

name 10.10.10.16 server5

name 10.10.10.21 server6

 

access-list OUTSIDE_ACCESS_IN permit tcp any host publicip2 eq https

access-list OUTSIDE_ACCESS_IN permit tcp any host publicip3 eq domain

access-list OUTSIDE_ACCESS_IN permit tcp any host publicip4 eq 8080

access-list OUTSIDE_ACCESS_IN deny tcp any any

 

They have another access-list DMZ_ACCESS_IN with several rules for traffic between server1 and the rest of the servers

 

global (outside) 1 publicip5 netmask 255.255.255.0

global (DMZ_WWW) 1 10.10.10.18 netmask 255.255.255.0

nat (DMZ_WWW) 1 0.0.0.0 0.0.0.0

 

static (DMZ_WWW, outside) publicip2 server1 netmask 255.255.255.255 0 0

static (inside, DMZ_WWW) 10.10.11.0 10.10.11.0 netmask 255.255.255.255 0 0

static (DMZ_WWW, outside) publicip4 server4 netmask 255.255.255.255 0 0

 

access-group OUTSIDE_ACCESS_IN in interface outside

access-group DMZ_ACCESS_IN in interface DMZ_WWW

 

route outside 0.0.0.0 0.0.0.0 publicip6

 

 

REQUIREMENT

 

Due to some security requirement, they need to put another firewall before the PIX. Therefore beween the new firewall and PIX they will have private ips (NEW FIREWALL - 192.168.0.1 /29 and PIX - 192.168.0.2 /29)

 

On the new firewall I can configure several public ips (publicip1, 2 etc) on the WAN interface and redirect traffic coming in for them to the ip of the PIX i.e. 192.168.0.2.

 

My issue is what configuration changes do I have to make on the PIX for this to work?

 

Appreciate any help.

 

Gulam

Share this post


Link to post
Share on other sites

Mainly if another FW will be place ahead, I suggest you do things as simple as possible:

- remove NAT from PIX

- move NAT to the "newer" firewall

- the public IP from the outside interface will move to the new FW the use a interconnection class between FW and PIX

- while implementing this I would use no FW on PIX, at least until you set up all correctly:

access-list ANY permit ip any any

access-group ANY in outside

access-group ANY in dmz

  • Upvote 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×