minimum requirment to create a DMZ

ayue · ‎11-06-2001

Hi, if I would like to create a DMZ by using PIX,

does the minimum requirement is PIX-515R plus one 1-FE card ??

Can I create a DMZ by using PIX 501 ?

elehman · ‎11-09-2001

A DMZ requires a 3rd ethernet port if you want to do it on the same device. the 501 and 506 have an inside and an outside - that's it. The 515R is the first level to support 3 IFs on the same device. Now I suppose you could use two 501's or two 506's and have one do the internal and one do the DMZ but that would create more headache in creating extra ACLs and such. It is technically possible though. A DMZ by definition is a semi-public network that is seperate from your internal LAN.

tony · ‎11-16-2001

I am interested in something similar. I have Microsoft ISA server, and was going to use that as the internal firewall, and have the 501 as the external. The 501 would also have a public webserver attached to it's switch. The only traffic allowed in would be http and smtp, both of which would be directed to the ISA server. The ISA server would not allow anything in except a mail relay to an internal server. That would essentially provide the DMZ capability I would need, would it not? I only have 1 IP, so I need to NAT my DMZ server anyway (which is what I am doing now with ISA). I beleive this would give me better protection.

Also, can yo usee any problems setting up a VPN connection originating at the internet, to an internal VPN server? Could I setup a tunnel between the internal server and the 501? THen I would authenticate at the 501 and have a path to the inside? Am I on the right track here?

Thanks

Tony