Cisco Pix 515e as shared appliance among several servers

cabizeid1 · ‎01-02-2006

I am interested in the Cisco Pix 515e for my web hosting clients. My goal is to provide

this single appliance to connect X amount of servers (Linux and Windows) to use as a shared appliance between these servers. I have several questions I hope you will

answer for me please.

Can I set QoS per server?

Can I set some police rules that it balance the service on the server, example: set bandwidth limit to HTTP service, to FTP service, etc.

Considering this will be shared firewall appliance among several clients, can we specify the IP addresses that can access different services? For example, we want to firewall off all ports except port 80 (to everyone) and terminal server (to specific IP addresses). Is that possible among a shared appliance?

Is it possible to setup a separate client login area on the same server, per client so they can setup their own requirements without interfering with others on the same appliance?

johansens · ‎01-03-2006

Hi there,

I'm not entirely sure I understood your request. This is what I read:

You want to have a single PIX 515E with a single internet-connection. Behind this PIX you have several servers which has several websites. These websites are managed by your clients.

Now you want to be able to implement the following:

- Firewall rules to protect the servers

- QoS rules to police the bandwidth based on IP, protocol and ports.

And in addition you would like the clients to be able to edit the firewall and QoS rules as they want?

Well... if this is what you want, the firewall and qos rules are 'no problem' if you use PIX code >7.0. If you want the users to edit their own firewall rules and qos rules... it'll get more complicated (multiple contexts etc.)..

Check this link for more information:

"Applying QoS Policies"

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b9a.html

"Adding and Managing Security Contexts"

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b90.html

Did it help?

cabizeid1 · ‎01-03-2006

The links you gave me require a customer login. I am not a customer at this moment.

So it is possible that I can set firewall / QoS rules PER SERVER per client's request?

Thank you

johansens · ‎01-03-2006

Ah.. my bad, just remove the /customer/ part and it works:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b9a.html

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b90.html

In short: Yes, you can do this..

The firewall and qos rules are highly configurable and can match on ip source and/or destination addresses, on type of protocol (icmp/tcp/udp etc) and port numbers in the protocols... so there should be no problems doing what you ask..

Did it help?

cabizeid1 · ‎01-03-2006

Thank you. So basically in order to enable a seperate login / customization options per client (server) per their request I need to customize some things on the firewall appliance?

Do you know if this is rather a difficult or lengthy process? I have never done anything with any Cisco product myself so this is completely brand new to me

johansens · ‎01-03-2006

If you can avoid having the customers operate the firewall and qos rules themselves, it would without a doubt be easier for you and a simpler configuration..

The setup of rules for each customer would be relatively easy for you, and it can all be done in a GUI (Java-applet) which is available on the PIX itself. Just point a browser to it and login... There are "Wizards" available in the GUI to help you configure the appliance...

Did it help?