We intend to use a PIX firewall 515R and move our web servers in house. The database server will be internal. We also have a mail server in house. Given this, how should I configure my firewall (multiple NIC's?). I have been suggested a switch to configure VLAN's. We also have a Win2k VPN server. Any documentation on the benefits of one configuration versus another? Thanks a lot
I would suggest a minimum of 3 NIC's. Inside, Outside and DMZ for the Web servers. You should never have rules that allow outside to inside access. You could even go a step further and have a 4th NIC for the database, but alot of that depends on how you plan to update your database server.
You can use both. Vlans on the switch and route between the vlan with what looks like 3 ports on a PIX firewall. That way you create a layer seperated architecture. A special note that it is more secure this way but your FW administration tasks will keep you up late at night.
It is considered a bad idea to use a single switch with VLANs for multiple PIX ports. You created a physical link between multiple networks and rely on layer2 security between them. Generally, these servers are configured with an IP address for management purposes which add to the list of vulnerabilities.
My recommendation would be to use 3 seperate switches. The switches on the external and DMZ networks should be configured without any management enabled (telnet, ssh, snmp, etc).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :