Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Firewall a firewalled connection

We have a connection to a higher entity that is firewalled (not sure if it is against us or against the higher entity). I currently have a router providing ACL filtering against their PIX. I would like to place another PIX up against their PIX (while removing the existing router. Is there any shortfalls since the new (outisde) interface will be on the same segment as their (inside) interface? Both Firewalls will be running PIX 6.3

2 REPLIES

Re: Firewall a firewalled connection

Hi,

I think this will look like dual-layer firewall setup (firewall-to-firewall). It can be done, but I would say no clear shortfall of this, as you can still allow and filter traffic accordingly.

The changes will be in terms of router vs firewall filtering, stateful inspection and the way NAT is done.

What you need to do basically is:

1. Assign outside interface IP with the same subnet of outside interface of peer firewall

2. Assign inside interface IP - follow existing subnet assign to current router

3. Set default route or specific route to outside pointing to peer firewall inside interface IP facing your new firewall outside interface

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 (xx.xx.xx.1 is peer firewall inside IP Address)

4. Address translation - depending on your current config in router. You can use static address nat (subnet) so no address translation between inside segment of new firewall to peer firewall, or use normal nat/global comman dpair.

a. Configure static subnet translation between inside segment of new firewall and peer firewall. Example (inside segment is 172.16.1.0/24)

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

This will enable hosts/clients from peer firewall to access resources/hosts in new firewall inside segment - but depend on your design/requirement as well.

b. Use dynamic address translation - the nat/global command pair. Example (inside segment 172.16.1.0/24, outside 172.100.100.0/24)

global (outside) 1 172.100.100.10-172.100.100.100

nat (inside) 1 172.16.1.0 255.255.255.0

5. ACL - you can use the same restriction, but need to apply the ACL On outside interface. Example

access-list 100 permit tcp any host 172.16.1.100 eq www

access-list 100 deny ip any any

access-group 100 in interface outside

This is only an assumption as I do not have your current router config.

Rgds,

AK

Community Member

Re: Firewall a firewalled connection

Excellent. Thanks for you assistance.

185
Views
5
Helpful
2
Replies
CreatePlease to create content