09-12-2006 11:45 AM - edited 03-09-2019 04:10 PM
We have a connection to a higher entity that is firewalled (not sure if it is against us or against the higher entity). I currently have a router providing ACL filtering against their PIX. I would like to place another PIX up against their PIX (while removing the existing router. Is there any shortfalls since the new (outisde) interface will be on the same segment as their (inside) interface? Both Firewalls will be running PIX 6.3
09-12-2006 09:06 PM
Hi,
I think this will look like dual-layer firewall setup (firewall-to-firewall). It can be done, but I would say no clear shortfall of this, as you can still allow and filter traffic accordingly.
The changes will be in terms of router vs firewall filtering, stateful inspection and the way NAT is done.
What you need to do basically is:
1. Assign outside interface IP with the same subnet of outside interface of peer firewall
2. Assign inside interface IP - follow existing subnet assign to current router
3. Set default route or specific route to outside pointing to peer firewall inside interface IP facing your new firewall outside interface
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 (xx.xx.xx.1 is peer firewall inside IP Address)
4. Address translation - depending on your current config in router. You can use static address nat (subnet) so no address translation between inside segment of new firewall to peer firewall, or use normal nat/global comman dpair.
a. Configure static subnet translation between inside segment of new firewall and peer firewall. Example (inside segment is 172.16.1.0/24)
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
This will enable hosts/clients from peer firewall to access resources/hosts in new firewall inside segment - but depend on your design/requirement as well.
b. Use dynamic address translation - the nat/global command pair. Example (inside segment 172.16.1.0/24, outside 172.100.100.0/24)
global (outside) 1 172.100.100.10-172.100.100.100
nat (inside) 1 172.16.1.0 255.255.255.0
5. ACL - you can use the same restriction, but need to apply the ACL On outside interface. Example
access-list 100 permit tcp any host 172.16.1.100 eq www
access-list 100 deny ip any any
access-group 100 in interface outside
This is only an assumption as I do not have your current router config.
Rgds,
AK
09-14-2006 11:05 AM
Excellent. Thanks for you assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide