Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Protecting router having 2 ISP conn & 4 intranet conn with PIX Firewall

I have cisco 2610 router with channelized E1 and ISDN BRI cards for internet and intranet connectivity.currently,ISDN BRI is used for internet dialup connectivity (no dedicated public IP) and four 256k intranet circuits through channalized E1.Through dynamic NAT in the router,internal users are accessing internet.Now we want to have 64k internet leased line (with 8 dedicated public IPs) through the remaining available bandwidth of E1 link apart from the internet ISDN dialup connection as well as to implement PIX 515 (2 ports) firewall.The requirement is

1.The 64k internet leased line should be used by a single system (IP)

2.The remaining users should use the isdn dialup connection to access internet.

3.Apart from the internet ,internal users should be able to access intranet networks.

Local LAN is a flat network with 192.9.200.0 IP n/w

Is it possible to allow both ISP traffic as well as the intranet traffic through the PIX firewall outside interface.Is there any prctical difficulties or securtiy issues ?

Is it possible to implement the PIX 515 firewall with the above polices ?

or by having public IPs for the ISDN internet dialup,can we implement the above polices?

or what is the best way to implement the firewall in the above scenario?

Pls help me on this problem

3 REPLIES
New Member

Re: Protecting router having 2 ISP conn & 4 intranet conn with P

Hi,

where do you want to place the pix? Because the PIX does NOT have any ISDN BRI or E1 interfaces, but only Ethernet interfaces, what would you like to protect? If you are able to configure your router like described above and you want to firewall that internet connections why don't you use the firewall feature pack for your 2610?

You ca place a 515 between Intranet and 2610, doing nat 0 and forwarding every packet to the router.

Regards Norbert

New Member

Re: Protecting router having 2 ISP conn & 4 intranet conn with P

Hi Norbert

The firewall should be placed between thr 2610 router and the local LAN.

The connectivity is like this:

LAN-----PIX firewall(2 ports)-----2610 Router--------Internet links (2) & intranet links(4)

All the internet and intranet links are terminated in the same 2610 router.

One ISP is connected through E1 link and it should be used by only one lcal LAN system.The other ISP is connected through ISDN dilaup (no dedicated IP) and it should be used by the remaining local LAN users.Aprt from this the intranet traffic should be allowed through the firewall without translation (bothway).

The point to be noted that all the traffic between router and Local LAN should br directed only through the outside i/f to inside i/f of the firewall.In this scenario,how do i route the specific traffic to one ISP , remaining traffic to second ISP? (looking like policy based routing if we use only router)

Currently ISP1 (thr E1) has dedicated public IPs but the ISDN dialup does not have.

Apart from this the intranet traffic should be allowed thr firewall.And which network ip should be assigned to the outside i/f of the firewall and lan port of the router since two ISPs are involved.Is the pix implementation in this scenarion a workable solution or the internet link should be protected separately with firewall?

Please suggest some workaround for this issue

Regards

Gobi

New Member

Re: Protecting router having 2 ISP conn & 4 intranet conn with P

Hi Gobi,

thanks for the informations. I guess you can do it in that way, you mentioned. Define a new Private IP-Network on PIX outside and Router interface. Define your PIX-Rules for Internet and Intranet traffic. Define the routing entries on the pix and don't let the pix nat the traffic from inside to outside. On the router you also have to set your routing entries correctly for access of the LAN. Then you need some route-maps to direct the traffic to the interface, you want to have them forwarded. Nat/Pat on the interfaces and I think it would be done.

So, define your policies on the PIX and let the router do the rest.

Hope this helps

Norbert

124
Views
0
Helpful
3
Replies
CreatePlease login to create content