Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
5
Helpful
2
Replies

Firewall a firewalled connection

TJ Kelly
Level 1
Level 1

‎09-12-2006 11:45 AM - edited ‎03-09-2019 04:10 PM

We have a connection to a higher entity that is firewalled (not sure if it is against us or against the higher entity). I currently have a router providing ACL filtering against their PIX. I would like to place another PIX up against their PIX (while removing the existing router. Is there any shortfalls since the new (outisde) interface will be on the same segment as their (inside) interface? Both Firewalls will be running PIX 6.3

Labels:
0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎09-12-2006 09:06 PM

Hi,

I think this will look like dual-layer firewall setup (firewall-to-firewall). It can be done, but I would say no clear shortfall of this, as you can still allow and filter traffic accordingly.

The changes will be in terms of router vs firewall filtering, stateful inspection and the way NAT is done.

What you need to do basically is:

1. Assign outside interface IP with the same subnet of outside interface of peer firewall

2. Assign inside interface IP - follow existing subnet assign to current router

3. Set default route or specific route to outside pointing to peer firewall inside interface IP facing your new firewall outside interface

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 (xx.xx.xx.1 is peer firewall inside IP Address)

4. Address translation - depending on your current config in router. You can use static address nat (subnet) so no address translation between inside segment of new firewall to peer firewall, or use normal nat/global comman dpair.

a. Configure static subnet translation between inside segment of new firewall and peer firewall. Example (inside segment is 172.16.1.0/24)

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

This will enable hosts/clients from peer firewall to access resources/hosts in new firewall inside segment - but depend on your design/requirement as well.

b. Use dynamic address translation - the nat/global command pair. Example (inside segment 172.16.1.0/24, outside 172.100.100.0/24)

global (outside) 1 172.100.100.10-172.100.100.100

nat (inside) 1 172.16.1.0 255.255.255.0

5. ACL - you can use the same restriction, but need to apply the ACL On outside interface. Example

access-list 100 permit tcp any host 172.16.1.100 eq www

access-list 100 deny ip any any

access-group 100 in interface outside

This is only an assumption as I do not have your current router config.

Rgds,

AK

TJ Kelly
Level 1
Level 1
In response to a.kiprawih

‎09-14-2006 11:05 AM

Excellent. Thanks for you assistance.

0 Helpful
Customers Also Viewed These Support Documents