I have a PIX 515E set up with statefull failover.
Do I have to have a DMZ bundle in order to configure a DMZ for an FTP server?
Is all that is needed is to set up an interface on one of the 3 remaining available and configure the security for it?
You could just place the FTP server on the existing inside interface and map it to a public IP using the static command. This wont be a recommended setup though.
Recommended setup would be to use a separate interface altogether for publically accessible servers and map them to public IPs from there. Heres a link which shows placing a mail server in dmz network and allowing access to it-
You can just replace the ports from smtp to ftp and "inspect esmtp" with "inspect ftp" in 7.x code and "fixup protocol smtp 25" with "fixup protocol ftp 21" in 6.x code.
If you purchases a DMZ bundle chassis, you will have a extra NIC card, which can be used as a DMZ interface.
If you purchases a simple chassis, with only 2 interfaces and "Restricted" license, then you can install a 1-port FE card and use this new FE interface as the DMZ interface. "Restricted" license allows use of maximum 3 interfaces, including inside and outside interface. However, if you have "Unrestricted" license, you can even use a 4-port FE card and create 4 different DMZ interfaces !!
we have a total of five interfaces.
Three are used with IP addresses and one is used as a failover interface.
How can i tell if "unrestricted license?
Do a "sh ver" on your firewall.
This is taken from one of our Pix515E firewalls.
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
MD-DESC-F01-FW01 up 173 days 19 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : Crypto5823 (revision 0x1)
0: ethernet0: address is 0011.5cc3.7133, irq 10
1: ethernet1: address is 0011.5cc3.7134, irq 11
2: ethernet2: address is 000d.88ef.0300, irq 11
3: ethernet3: address is 000d.88ef.0301, irq 10
4: ethernet4: address is 000d.88ef.0302, irq 9
5: ethernet5: address is 000d.88ef.0303, irq 5
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Inside Hosts: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.
Serial Number: 808252051 (0x302cf293)
Running Activation Key: 0xb62825e8 0x0c995dfa 0x80855127 0x9d6215c3
Configuration last modified by enable_15 at 08:24:17.335 GMT Wed Mar 7 2007
Key things to look at
Maximum number of physical interfaces
+ obviously at the bottom of the output it tells you which license it is running.
Thanks for the replys guys.
One last question:
We have one of the interfaces being used by a customer and the two failover PIX firewalls are connected to a cisco 12 port switch on his DMZ.
Is it acceptable practice to VLAN the switch and use some of the ports for another DMZ?
Or best to physically isolate them with another switch?
A lot depends on the level of security you need. I have seen both separate switches used and a combined switch with all the vlans on that one switch.
The key concerns with using the same switch for multiple DMZ's are
1) a configuration mistake could lead to a security risk
2) Vlan hopping ie. begin able to jump across vlans
3) Vlan 1 which should not be used on a DMZ switch.
I think you will be fine with what you propose as long as you understand the issues with multiple vlans on a switch.
Attached is a paper on vlan security from Cisco. It's about 6500 switches but a lot of the information applies to all switches.
If your'e using one of your spare interfaces then you don't need to create a vlan on your firewall, you just use one of the spare interfaces. Allocate the ports on the switch to a new vlan and then connect the pix interface into one of those ports.
The pix firewall would only need to know about vlans if you were going to run 802.1q trunking on one of the pix interfaces and i don't believe this is what you are trying to do.
If i have misunderstood please let me know
If you are going to run passive ftp you generally do not want to have the fixup ftp command on.
The fixup ftp was primarily designed for active ftp.
As far as the rule base goes if you are allowing all traffic out from the inside and you are talking about ftp to the outside then you should be fine with passive ftp as both the data and control connection are initiated by the client.