How to get PIX (515) put between router and switch - design issue...

anthony.barlow · ‎08-30-2003

Hello there,

It's more question of design, so I'd really appreciate any ideas. Basically we have a leased line connection, it's connected thru serial interface to 1721 router. There are 12 VLANs (subinterfaces) setup on internal router's ethernet interface and there is a HP layer2/3 switch connected to the router, which maintain all those VLANs. We have decided to put a firewall (PIX 515E) between a router and a switch - now the main question: how to implement it, and preferably, save existing VLANs. We have a small range of static IPs, but they are for serial router's interface only - the internal interface has non-routable IP range.

Is it possible to use the same IP address on both PIX's interfaces ? Or is there any other way to go ?

Thanks,

Alexander

bdube · ‎08-30-2003

You don't talk about inter-VLAN routing. Here, i suppose you don't do it with the 1721.

One way to do what you are looking for is:

1- All 12 VLANs can be terminated into the PIX instead of 1721.

2- Then the PIX inside's IP addresses should be those actually assigned to 1721's e0 (including subinterface). That way, you don't have to reconfigure internal host's default gateway.

3- Now you need a new subnet between the PIX and the router.

This design doesn't consider any public server, if any, that should be move in the DMZ.

Regards

Ben

anthony.barlow · ‎09-01-2003

Hi,

thanks for answer,

what would you tell me about

"ip unnumbered" for Serial0 interface ? That way, I'd move routable network behind the router and in front of the PIX.

Another question - in order to use existing VLANs - do i just need a number of different IP addresses to set up on PIX's internal Ethernet interface? How many can i set up for 515E at all (maximum) ?

Thanks.

bdube · ‎09-01-2003

The ip unnumbered config looks perfect.

Yes, you just need a number of different IP addresses, one for each VLAN, to set up on PIX's internal interface.

But, there is a problem with the number of VLANs and the PIX model you have, the maximum described by Cisco is 8 VLANs.

Can you decrease this number of VLANs by cascading some nets behind others?

Ben

anthony.barlow · ‎09-03-2003

Hi,

I spoke to Cisco support, it's possible to use PIX w/o VLAN setup, (part of tech article of

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113411

)

By default, with no VLANs configured, the PIX Firewall sends untagged

packets to any directly connected switch. If an untagged packet is received

by a switch on a trunk port, the switch forwards the packet on the native

VLAN assigned for that trunk port. By default, switches assign VLAN 1 to the

native VLAN.

I'm just wondering, in that case - how many IP addresses I can set up on PIX's ethernet interface ?

bdube · ‎09-03-2003

Anthony,

For security reason, you should not use VLAN 1, this one is normally reserved for switch management purpose only. Also, this doesn't solve the issue to join your 12 VLANs.

Koaps is proposing another solution who looks fine. Read his post.

Regards

Ben

koaps · ‎08-31-2003

how able getting a cheap 1605 and using it as your gateway router and leave the entire setup inplace and just change the route statement on your current router.

then put the 1605 and the PIX infront of your network.

that would require the least amount of work. I would suggest getting a 2600 and using the CBAC since application layer filtering is love against virus's