PIX 501 related

otnj2ee · ‎10-11-2005

I would like to use the PIX 501 firewall for the following purposes, but not so sure if it can handle them:

1) support 3 interfaces: inside, outside, and a DMZ?

2) Remotely configure/maintain the firewall using command-line interface (CLI) via VPN?

3) What is the difference of Telnet over IPSec Versus VPN? Is this Telnet safe?

4) What is the console port for? and what is "out of band through a console port"?

and finally,

5) If this firewall is connected via a ADSL modem to the internet (supported by a ISP)and its IP address is dynamic. Now I want to connect two computers to the firewall, one to the DMZ, and another to the inside interface (both of these two computers' IP are private IP). When this LAN configuration is done, can both the computers access the internet?

(I know I can have one computer connected to the ADSL's modem and access the internet. I wonder with this firewall, if I can have two computers access the internet, without using a router?)

Thanks

Scott

thisisshanky · ‎10-11-2005

1)

501 has only inside and outside interfaces. You cannot setup a dmz. You will have to use a min. 515E or up for DMZ.

2. SSH uses encryption. You can connect to the PIX from outside interface using an SSH client.

3. IPSEC is the protocol used to encrypt a traffic. An IPSEC tunnel could be between two devices separating two different lans, or it could be a vpn client initiating an ipsec tunnel to a head end device (PIX,VPN Conc, etc).

You cannot telnet to pix from the outside. You can only use SSH.

4. Console port is for out of band management. You connect a serial port (COM port) of PC to the console port using a special roll over cable and access the console of the PIX using a program such as Hyperterminal or Teraterm.

Additionally Console ports can be hooked up with a modem to dial in to the device remotely.

5. Ideally if you configure the pix firewall for NAT overload (using public ip leased from your ISP) you should be able to have both PCs access internet. Like I said before, 501 cannot have a DMZ.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

scottmac · ‎10-11-2005

The PIX 502 only has two Ethernet ports. The 'DMZ" is supported as a virtual interface (all permitted traffic is passed to the declared DMZ host).

If the PIX is your VPN endpoint, you'll need to connect to a host on the inside, then telnet back to the PIX. You can set up SSH for access by way of the outside interface, but it's generally not a recommended practice (SSH is basically a "Secure Telnet."

Telnet through an encrypted tunnel would only be secure for time the traffic was tunnelled. Once the telnet session hit the LAN (out of the tunnel and is now local LAN traffic), it would be clear text again. Someone snooping on the LAN could possibly intercept and read the Telnet traffic.

SSH wold be a better choice. The 501 / IOS 6.3 still only supports SSH1, but it's still better the Telnet.

The console port is an RS232 serial connection for access to the CLI.

If you wanted to interrupt the boot (to access monitor mode, for example) you need to do that from the console port.

If If you needed to do a password recovery, you need access to the console port.

If you wanted to give the PIX an internal IP address so you could telnet, ssh, or tftp to it, you need access to the console port.

That is why "physical security" (lock the network infrastructure devices up in the closet) is so important. If someone has physical access to your devices, then they can generally defeat your other security measures (i.e., recover the password, take control of your firewall).

Yes, properly configured (Pix and hosts), both hosts would have Internet access.

Good Luck

Scott