cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
10
Helpful
5
Replies

2nd DMZ???

shane.wesley
Level 1
Level 1

Hello all. Pretty newbie question here, I know I still have lots of research to do, but I'm fairly new to the security side of things, so looking to get pointed in some direction...

We are running 2 PIX 515's, one as a failover. All the ports are being used, we have one DMZ setup where our websvr and another host sit. We need to setup another host to run various things with Google (ads i believe?), that need to open an in/out tunnel to the internet, so we want to put this on a separate DMZ from the websvr.

Question, what is the best way to go about this? Just upgrade the PIX to add another port and put the 2nd DMZ on that? Are there better...more efficient...less costly ways to do this?

Eventually we are upgrading the PIX to ASA'. If upgrading the PIX is the only solution, is the cost great enough that we should try to wait and upgrade to the ASA's first? Is there a temporary workaround to get by until we upgrade?

Thanks in advance!

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Shane

If you are using a switch that supports 802.1q trunking then you can use one of the physical interfaces on the pix and split it logically into 2 different interfaces. Each logical interface is seen as a separate interface that you can apply access-lists to etc.

See attached link for details.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411

Obviously you now have 2 separate dmz's on the same physical interfaces so each dmz will not get a full 100Mb throughput but it should be fine.

Jon

Jon

Jon,

Thank you for the reply. I had thought about just putting them on VLANs, but I guess my concern was this wouldn't be as secure as putting them on a totally separate PHYSICAL interface.

Or am I misguided in thinking this? Would 2 VLANs suffice...?

Hi,

Separate VLANS on a switch I believe is the best way to go. I have 2 3750's trunked off my ASA (1gb ports) with multiple VLAN's. It's great as you can use one port and create sub interfaces off that single port to create multiple VLANS/DMZ's. They are very secure and as the VLAN's/DMZ's are seen as interfaces you can give them different security levels, access rules etc.

Let me know if you need any other help.

Please rate if helpful.

Hey if you're still reading this thread, I would really appreciate it if maybe I could get some idea from you of a config to use. Please let me know, and I'll email you offline!

sw1iniraq2003@yahoo.com

THANKS!

What do you need to know?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: