Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

minimum requirment to create a DMZ

Hi, if I would like to create a DMZ by using PIX,

does the minimum requirement is PIX-515R plus one 1-FE card ??

Can I create a DMZ by using PIX 501 ?

New Member

Re: minimum requirment to create a DMZ

A DMZ requires a 3rd ethernet port if you want to do it on the same device. the 501 and 506 have an inside and an outside - that's it. The 515R is the first level to support 3 IFs on the same device. Now I suppose you could use two 501's or two 506's and have one do the internal and one do the DMZ but that would create more headache in creating extra ACLs and such. It is technically possible though. A DMZ by definition is a semi-public network that is seperate from your internal LAN.

New Member

Re: minimum requirment to create a DMZ

I am interested in something similar. I have Microsoft ISA server, and was going to use that as the internal firewall, and have the 501 as the external. The 501 would also have a public webserver attached to it's switch. The only traffic allowed in would be http and smtp, both of which would be directed to the ISA server. The ISA server would not allow anything in except a mail relay to an internal server. That would essentially provide the DMZ capability I would need, would it not? I only have 1 IP, so I need to NAT my DMZ server anyway (which is what I am doing now with ISA). I beleive this would give me better protection.

Also, can yo usee any problems setting up a VPN connection originating at the internet, to an internal VPN server? Could I setup a tunnel between the internal server and the 501? THen I would authenticate at the 501 and have a path to the inside? Am I on the right track here?