1

I hope that someone could shed some light over my situation, as I am fairly new to PIX configurations.

I will be getting a new net for my department, which I am going to configure. At my hands, I have a Cisco PIX 515 (not E), a Cisco 2948 switch (and if needed, I can bring up a 2621XM router, but this is my private and not owned by my dept.).

The network I will be getting is the following:

10.12.33.0/26 Link net between the ISP routers and my network will be 10.12.32.0/29 where GW is .1 and HSRP roututers are .2 and .3

The ISP has asked me not to NAT the addresses on my side, as they will set it up to give 10.12.33.2 as a one-to-one nat to a public IP. The rest of the IP's will be a many-to-one NAT to another public IP.

10.12.33.2 is supposed to be my server placed on the DMZ, the rest of the IP's will be used for my clients and the AD server (which is currently also acting as a DHCP server in the old network config with another ISP).

Now, the question is, how would I best configure this? I mean, am I thinking wrong here, I am expected to put the PIX first from the ISP outlet, then to the switch which will connect my clients. But with the ISP routers being on a different network, how will the firewall forward the packets to the other network, it's a firewall, not a router.

I have actually never configured a pix before, and fortunately, this is more like a lab network, not a production network, so if something goes wrong it's not the end of the world, if though annoying.

I am not asking for a full configuration from anyone, just some directions, or possibly some links which will give me some hints.

Thank you very much!

Rickard
  • 145
  • 1
  • 7

1 Answers1

0

If I am reading this right you have 10.12.33.0/26 for your DMZ and LAN networks, and 10.12.32.0/29 is your link to the outside world. You will need to subnet your allocated IPs into two /27 networks, one for the DMZ, one for the LAN.

  DMZ = 10.12.33.0/27 
  LAN = 10.12.33.32/27
  EXT = 10.12.32.0/29

You will need to create three security zones on the PIX and set security levels. Add vlan interfaces to each zone and give them IP addresses... Setup a static route for your internet access and then your NAT and Access rules. The basic commands are here:

As for how you would connect everything, the ISP connection goes into the external interface of the PIX. Connect the internal interface to a trunk port on your switch and allow the vlans you have configured on the switch. Then divide up the access ports into the appropriate vlans. That's the basic idea. Hope this is of some help.

GerryEgan
  • 482
  • 3
  • 9
  • Thank you Gerry, Although, I was asked specifically not to NAT, as the addresses we are given is already nated. In essence, All I need is a proper firewall in between the ISP and our computers to shutdown ports and services we will not be using.. – Rickard Dec 10 '12 at 19:45
  • I am thinking here now. looking it all over.. I think this IP plan wouldn't be too good, at this moment, we need around 35 IP addresses on the LAN and only one on the DMZ. This means we have a lot of IP addresses on the DMZ that won't be used due to the supernetting. Or am I misunderstanding you/not thinking correctly? THinking further, do you suggest that I set the internal interface to 10.12.33.0/26 and then make VLAN's on that interface to supernet the subnet, and thereby not use the DMZ interface at all? – Rickard Dec 11 '12 at 08:45
  • The way I was suggesting to do it would result in unused IPs in your DMZ subnet. The alternative that you are suggesting is something similar to private VLANs which can be used to create a DMZ network within an IP range. However you will not have that feature on your switch and the PIX associates IP subnets and vlans with a one to one relationship so its not possible to tell it to take some IPs from one vlan and the rest from another. Is there any chance you can get a larger subnet from your provider? 10.12.33.0/25 would be fine. – GerryEgan Dec 11 '12 at 16:39