Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up an ISP Firewall

I currently support (2) PIX 515's for our corporate firewalling requirements.

We are in the process of establish our own ISP network. We have selected the PIX 525 running in failover configuration to protect the ISP server farms.

I have been told that setting up an ISP firewall is very different than for corporate purposes. For starters we have global addresses on the inside and obviously the outside. I have also been told you do NOT typically use NAT on an ISP firewall.

I am looking for a basic ISP firewall setup. Any assistance would be greatly appreciated.


Re: Setting up an ISP Firewall

I don't think there;s any restriction on using NAT in ISP network, if you don't have enough IP addresses you can very well use private IP addresses for your LAN and NAT them.

The Pix in an ISP network is to protect your own infrastructure like your LAN, web servers, radius servers, mail servers. This is no way different from a pix used for a corporate purpose. May be the ports that you might open will differ based upon the services you run.

New Member

Re: Setting up an ISP Firewall

Setting up your firewall for an ISP or any firewall is a design call. But the challenges are the same as long as you understand the fundamentals of the PIX.

IF you do not have an IP address shortage, your static statements could be mapped differently- like static(inside, DMZ)

You might have to pay more attention to your access-list to control both inbound and outbound traffic - where necessary

You can use NAT statements when you expect traffic to only originate from one direction.

Arrange yor access-list in a descending order of what access-list will be used the most.

If you need addtional help. Let me know...


CreatePlease to create content