The first good thing you are doing is plaing the server in DMZ. This is the place where ideally servers to be access by public networks should be placed.
Next, what is the current CPU/Memory usage on PIX? As you have a PIX-525, this is quite a heavy duty PIX and should be able to handle heavy traffic. But again, would like to know the numbers.
As you mentioned port-forward, could you clarify on this? Is it that from outside only few ports should be accessible? Does this server have a public IP of its own or will it use PIX's IP address?
Generally when you allow access to, lets say a webserver, through PIX on port 80 (TCP), you make it available on port 80(TCP) as well as its open for attacks on port 80(TCP). If the ACL on outside is tight enough, attackers can attack only on port 80 (TCP). PIX by itself cannot do attack detection or something like that, however a IDS/IPS device can be very effective if you need to protect this server from attacks.
In rare cases even if the server on DMZ is compromised, access to internal servers (servers on inside interface) will not be open as long as ACL on the DMZ interface denies access to internal networks. And ideally, it should.
We have a pix 525 pair in active/standby right now. Each has 256MB of memory and they are not being utilized very heavy today. We have on average 30 concurrent VPN connections, plus the PIX is our Firewall for our companies internet access.
We are worried about the throughput when we bring our new software system online. We will have 200Mb of bandwidth out of our data center to our offices and up to 100Mb of bandwidth outbound to the internet. If we put all our application on the DMZ, that is very close to the PIX rated throughput of 330. If we put only a few of the systems on the DMZ, then the
servers will not be able to communicate to eachother at 1Gb speeds because of the PIX limitations.
As for port forwarding, the application will only need 2 open ports. SSL and another TCP port.
As for the servers, they will all have public IPs assigned to them (either physically assigned in a port forward setup or through NAT in a DMZ setup).
My major concern with port forwarding is if one of the servers is compromised, then the entire inside network becomes vulnerable.
Even if we put them on the DMZ I am still going to need to allow access from the inside to the DMZ for internal users. Is it possible to do this securely?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :