We have a Pix 525 failover on our Internet gateway, and "management" wants to configure our existing Border Manager 3.7 servers to provide proxy, caching and content filtering with authentication behind the PIX.
The questions are
1. Where to install the BM servers, inside or DMZ.
Hi, we did something similar but BM was behind FW-1. I agree with your management that BM can provide proxy, caching, filtering & authentication VERY well. I would caution that the BM servers better have plenty of RAM and disk space. You should have a separate cache volume. DO NOT have your cache directory on SYS!
That aside... our BM was on the inside of the FW. Put two NIC's in the BM server, one for "private" and one for "public." The BM's "public" interface will be downstream from one of the PIX's "inside" interfaces. Have your client's browsers point to the BM's "private" IP address for proxy.
It doesn't matter which device provides NAT, Proxy, or protocol/packet filtering. Decide which is simplest, be consistent, and don't double-up. If the BM provides the above services, which I recommend, simply have PIX pass ALL traffic coming from the BM's public IP address to the outside interface.
Here's a security tip in regard to configuring BM's packet filtering. Most of the usual protocols (HTTP, HTTPS, SMTP, etc.) are configured by default but if have a unique one, you'll need to configure it manually. Define the packet (give it a name and port address) and include the packet in an outbound rule. Here's the tip.... Most admin's don't think to define the "return" so be sure to define a corresponding inbound rule and be sure to restrict the inbound port number to 1024-65535. This should prevent any hackers from "spoofing" ports.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :