PIX 501 related

otnj2ee · ‎10-11-2005

I would like to use the PIX 501 firewall for the following purposes, but not so sure if it can handle them:

1) support 3 interfaces: inside, outside, and a DMZ?

2) Remotely configure/maintain the firewall using command-line interface (CLI) via VPN?

3) What is the difference of Telnet over IPSec Versus VPN? Is this Telnet safe?

4) What is the console port for? and what is "out of band through a console port"?

and finally,

5) If this firewall is connected via a ADSL modem to the internet (supported by a ISP)and its IP address is dynamic. Now I want to connect two computers to the firewall, one to the DMZ, and another to the inside interface (both of these two computers' IP are private IP). When this LAN configuration is done, can both the computers access the internet?

(I know I can have one computer connected to the ADSL's modem and access the internet. I wonder with this firewall, if I can have two computers access the internet, without using a router?)

Thanks

Scott

spremkumar · ‎10-13-2005

hi

1.To have DMZ support as per the data sheet available its 515E which supports the same.

On the same H/W you can scale upto 6 Fastethernet ports at the max.

2.You will have to use SSH for accessing a PIX firewall from outside interface and you need to allow the necessary access in the configurations.

From the inside local lan behind the inside interface you can have simple telnet access enabled with the reqd configs in the box.

3.if you want to ensure some kinda security for your telnet access do check out for SSH and diasble telnet access to your box or else block them using necessary ACL on the linevty configs.

4.Console port basically reqd to monitor the boot process or to recover your box if it gets hanged up while booting.

it normally goes into ROMMON to recover the box out of that you need to console onto the box coz the interfaces wont be active/valid during that period.

The interfaces comes active only when the active config is loaded on the box during the startup process.

Out of band management is basically accessing your equipment via normal PSTN line instead of normal telnet or ssh.

if theres some probs with the connectivity or some other probs you can very well login via the OOB setup which you do with normal dialup modem and the reqd config usually under aux interfaces to accept the same.

5.The local lan can acess the internet provided you have proper natting enabled on the firewall but if you want to have some kinda access from publi network to these servers it wont be possible since the ip assigned by your SP is dynamic in nature which will keep on changing based on the availability.

regds

arunsing · ‎10-14-2005

1. Pix 501 just has two interfaces and is not a modular device. If you want to create an inside , outside and dmz you could use either of the two options.

a. Get 515 R which has three physical interfaces.

b. Get 506 which though has two interfaces but you can create a logical interface using vlan.

2. You can use ssh from outside or inside to remotely administer the pix.

command is

ssh

3. Would suggest you to use ssh

4. Cisco routers and certain switches support out-of-band connectivity with use of a modem that connects to the AUX port or console port. This can be used in case of disaster recovery.

5. we can pat the two IPs to use the outside interface ip address. the command will be.

nat (inside) 1 0 0

nat (dmz) 1 0 0

global (outside) 1 interface

Arun

arunsingh1234@yahoo.com