Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Does a Pix behind a 2nd Pix provide a mock DMZ network?

Hello-

Have a client that does not want to spring for a 515, so I'm trying to figure a way to connect the two 506's they already have to provide DMZ functionality. Does anyone know if a nested Pix config would work w/ two layers of NAT? Would static mappings to hosts behind the 2nd Pix be effective? And lastly, I'm guessing that VPN would work to both units if acl's on the first allowed VPN traffic to reach the 2nd?

Thank you,

Jonathan

3 REPLIES
New Member

Re: Does a Pix behind a 2nd Pix provide a mock DMZ network?

Hi

If I'm reading it right you mean having a setup like:

(Internet)---[Pix1]---(dmz)---[Pix2]---(Internal LAN)

This setup would work fine with 2 layers of NAT, although statically mapping an internal LAN address to a 'DMZ' address on Pix 2 and then to a public address on Pix1 basically would provide no more security than not bothering with Pix2 at all, so I can't see it really being worth doing. Any host that needs a static mapping to an internet address really should remain in the DMZ area and not the internal LAN. Also, if you are intending to use an IPSEC based VPN tunnel on Pix2 it wouldnt work as the packets will be disguarded after they have been subjected to NAT on Pix1

Hope that helps

Kev

New Member

Re: Does a Pix behind a 2nd Pix provide a mock DMZ network?

Appreciate the info, thank you.

I agree, and we are not planning on statically mapping servers behind Pix#2, I was simply curious if it could work.

Re IPSec, couldn't one avoid your concern by using NAT 0 w/ appropriate ACL's on Pix#1?

Thanks,

Jonathan

New Member

Re: Does a Pix behind a 2nd Pix provide a mock DMZ network?

I think 2 506's in line would work great for a DMZ. If you put the servers between the two pixs then it would in essence be a DMZ, just map static addresses to the servers and you still have the security of the inner 506. As for a VPN session you could do two things:

1. Terminate the VPN on the outer PIX and have the inner pix access-list allow through all private IP addresses assigned by the outer Pix for VPN access.

2. Or you could statically forward the packets through the first pix and have the second one terminate the VPN.

Basically whatever you do, have the VPN traffic avoid NAT....I would probably choose the second choice as that would have the VPN terminate on the inner pix just as if there was only one pix.

84
Views
0
Helpful
3
Replies
CreatePlease to create content