04-21-2003 03:49 AM - edited 03-09-2019 02:58 AM
I currently support (2) PIX 515's for our corporate firewalling requirements.
We are in the process of establish our own ISP network. We have selected the PIX 525 running in failover configuration to protect the ISP server farms.
I have been told that setting up an ISP firewall is very different than for corporate purposes. For starters we have global addresses on the inside and obviously the outside. I have also been told you do NOT typically use NAT on an ISP firewall.
I am looking for a basic ISP firewall setup. Any assistance would be greatly appreciated.
04-25-2003 09:24 AM
I don't think there;s any restriction on using NAT in ISP network, if you don't have enough IP addresses you can very well use private IP addresses for your LAN and NAT them.
The Pix in an ISP network is to protect your own infrastructure like your LAN, web servers, radius servers, mail servers. This is no way different from a pix used for a corporate purpose. May be the ports that you might open will differ based upon the services you run.
04-27-2003 04:15 AM
Setting up your firewall for an ISP or any firewall is a design call. But the challenges are the same as long as you understand the fundamentals of the PIX.
IF you do not have an IP address shortage, your static statements could be mapped differently- like static(inside, DMZ) 145.24.34.0 145.24.34.0 255.255.255.0
You might have to pay more attention to your access-list to control both inbound and outbound traffic - where necessary
You can use NAT statements when you expect traffic to only originate from one direction.
Arrange yor access-list in a descending order of what access-list will be used the most.
If you need addtional help. Let me know...
Ade
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: