We have a connection to a higher entity that is firewalled (not sure if it is against us or against the higher entity). I currently have a router providing ACL filtering against their PIX. I would like to place another PIX up against their PIX (while removing the existing router. Is there any shortfalls since the new (outisde) interface will be on the same segment as their (inside) interface? Both Firewalls will be running PIX 6.3
I think this will look like dual-layer firewall setup (firewall-to-firewall). It can be done, but I would say no clear shortfall of this, as you can still allow and filter traffic accordingly.
The changes will be in terms of router vs firewall filtering, stateful inspection and the way NAT is done.
What you need to do basically is:
1. Assign outside interface IP with the same subnet of outside interface of peer firewall
2. Assign inside interface IP - follow existing subnet assign to current router
3. Set default route or specific route to outside pointing to peer firewall inside interface IP facing your new firewall outside interface
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 (xx.xx.xx.1 is peer firewall inside IP Address)
4. Address translation - depending on your current config in router. You can use static address nat (subnet) so no address translation between inside segment of new firewall to peer firewall, or use normal nat/global comman dpair.
a. Configure static subnet translation between inside segment of new firewall and peer firewall. Example (inside segment is 172.16.1.0/24)
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...