Does a Pix behind a 2nd Pix provide a mock DMZ network?
Have a client that does not want to spring for a 515, so I'm trying to figure a way to connect the two 506's they already have to provide DMZ functionality. Does anyone know if a nested Pix config would work w/ two layers of NAT? Would static mappings to hosts behind the 2nd Pix be effective? And lastly, I'm guessing that VPN would work to both units if acl's on the first allowed VPN traffic to reach the 2nd?
This setup would work fine with 2 layers of NAT, although statically mapping an internal LAN address to a 'DMZ' address on Pix 2 and then to a public address on Pix1 basically would provide no more security than not bothering with Pix2 at all, so I can't see it really being worth doing. Any host that needs a static mapping to an internet address really should remain in the DMZ area and not the internal LAN. Also, if you are intending to use an IPSEC based VPN tunnel on Pix2 it wouldnt work as the packets will be disguarded after they have been subjected to NAT on Pix1
Re: Does a Pix behind a 2nd Pix provide a mock DMZ network?
I think 2 506's in line would work great for a DMZ. If you put the servers between the two pixs then it would in essence be a DMZ, just map static addresses to the servers and you still have the security of the inner 506. As for a VPN session you could do two things:
1. Terminate the VPN on the outer PIX and have the inner pix access-list allow through all private IP addresses assigned by the outer Pix for VPN access.
2. Or you could statically forward the packets through the first pix and have the second one terminate the VPN.
Basically whatever you do, have the VPN traffic avoid NAT....I would probably choose the second choice as that would have the VPN terminate on the inner pix just as if there was only one pix.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :