I'm very new at firewalling. I have to setup a PIX to provide 2 DMZ zones with an inside VLAN for workstations. Right now I have a 3745 router connecting to WAN via ISP's 851 ethernet. I have 5 static IPs. Behind the 3745 I have a Catalyst 3550 hosting 3 VLANs. One for workstations, another for web servers and mail server and a third for CallManager. I have 6 ethernet interfaces available on PIX. PIX OS 8.04 and ASDM 6. What I think I need to do is to put the PIX between the 3745 and the 3550 but I am not sure. Perhaps the PIX needs to connect directly to the 851? What I want to do is have the PIX act as firewall for workstations (VLAN 100, 192.168.110.0/24) and create 2 DMZs which are currently in VLANs on the 3550. I need to be able to use 1 IP for internet access for the workstations and 3 more for webserver DMZ. I have to be able to PAT ports from different internal IPs on subnet 192.168.10.0/28 to 3 outside IPs. I know there must be a way to do this, I apologize for being so cnfusing. Any direction would help with this. I have searched and have found no guidance on this type of setup. Thanks in advance.
1) In achieving the following requirement:
PAT 192.168.30.2:80 --> 96.xx.xx.172:420
PAT 192.168.30.2:81 --> 96.xx.xx.172:81
Since NATing is now done on the PIX, please remove the NAT statement on your c851 router.
static (DMZ1,Outside) tcp 220.127.116.11 420 192.168.30.2 80 netmask 255.255.255.255
static (DMZ1,Outside) tcp 18.104.22.168 81 192.168.30.2 81 netmask 255.255.255.255
access-list outside_in permit tcp any host 22.214.171.124 eq 420
access-list outside_in permit tcp any host 126.96.36.199 eq 81
access-group outside_in in interface outside
2) For this requirement:
Unrestricted access from PIX, e5 --> PIX, e1 (SSH, HTTP, etc)
DNS to 192.168.30.2 (53, udp)
Unrestricted access from inside network towards DMZ1 network - since this requirement will cover the above 2 lines, you do not need to configure the specific of the above 2 lines.
static (inside,DMZ1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list inside_in permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-group inside_in in interface inside
3) To answer your ping question:
You can only ping the PIX interface from the directly connected interface as follows:
To be able to ping the inside interface, you would need to ping from the inside network
To be able to ping the DMZ1 interface, you would need to ping from the DMZ1 network
You can't ping the inside interface from DMZ1 network, and vice versa (can't ping DMZ1 interface from inside network). Those are not supported on PIX.
However, you should be able to ping from DMZ1 network towards inside network and vice versa after the above "static (inside,DMZ1)" statement, and also if you have "inspect icmp" configured (check "sh run policy-map")
4) For this requirement:
Ping from DMZ1 network towards inside network, and to allow HTTP from DMZ1 network towards inside network, you would need to create access-list on DMZ1 interface.
access-list dmz1_in permit icmp any any
access-list dmz1_in permit tcp 192.168.30.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 80
access-list dmz1_in in interface DMZ1
Hope the above helps, and please kindly rate helpful post so Cisco can match $1 for every rating for the Haiti Earthquake donation.
Yes, your proposed topology would work out great.
You do not need an extra router to route traffic from 3550 towards the PIX as PIX will be acting as a router.
You can configure the following interfaces on your PIX:
1) Outside - connect to the 3745 router (using the public ip address, assuming the 3745 is .169, you can configure the PIX outside interface in the same subnet). PIX will be configured with default gateway pointing towards your 3745 (x.x.x.169).
2) Inside - connect to the workgroup switch (you can configure PAT to the PIX outside interface for internal users to have internet connectivity).
3) DMZ-Server - connect to the 3550 server VLAN (for the remaining 3 public ip addresses, you can statically configure the NAT for each server, all servers will have PIX DMZ-Server interface ip address as their default gateway)
4) DMZ-ESX - connect to the 3550 ESX (VLAN 2) - all ESX servers would have PIX DMZ-ESX interface as their default gateway.
5) DMZ-CM - connect to the 3550 CM VLAN - CMs will have PIX DMZ-CM interface as their default gateway.
Hope that helps.