Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Web, DNS, Proxy etc Servers on 4-Port Ethernet Card on 515E

Hi,

I am configuring a PIX 515E firewall with a 4-Port Ethernet Card. We would have our Web, Proxy, DNs etc servers on the 4-Port Ethernet Card.

Our Public Address class is x.x.x.x \26.

I can think of two ways to do this but am unable to decide if one is better than the other

1. Have the Servers and PIX 4-Port Interfaces configured with Private IP Addresses and then have Static NAT entries in the PIX mapping the Private IP Address to address from x.x.x.x.

2. Further Sub-Divide our Public Address space into subnets and then configure Public Address directly on the Servers and PIX 4-Port interfaces.

Ofcourse in this case i would end up wasting some of my Public IP Addresses (the ones assigned to PIx interfaces Plus 2 per each Subnet).

However as far as i know i would still have to use "Static command" mapping each Server's Public Address to itself ?

My question is

Is there any advantage in choosing between any of these scenarios ? E.g. a performance gain or something ?

I am concerned about the performance of the Proxy Server.

Would there be any performance issue with having Proxy Server connected to the 4-Port Card on the PIX i.e behind the PIX OR

Connected Out-side of PIX i.e just protected by the Perimeter Router and configured directly with a Public IP Address I.E. without going through address translation through PIX ?

I am thinking that

DNS,Web,Mail Servers should be protected by PIX, as all these need Access from Outside and PIX can perform Protocol inspection for all these.

However a Proxy Server doesn't need to be accessed from outside, so it can be protected using a state-full IOS firewall on the perimeter Router. However if there are no performance issues while using it behind the PIX, i would still like to do that.

We do have a VPN 3000 concentrator also, any idea where it should be placed ? Behind the PIX or Not ?

  • Other Security Subjects
3 REPLIES

Re: Web, DNS, Proxy etc Servers on 4-Port Ethernet Card on 515E

Hi,

a few answers to your questions:

+ "However as far as i know i would still have to use "Static command" mapping each Server's Public Address to itself ?"

-> CORRECT

+ Is there any advantage in choosing between any of these scenarios ? E.g. a performance gain or something ?

-> Choose for the private address for two reasons:

-the real IP addresses of the servers are not exposed

-you don't have to change anything to the servers if your public address range changes (eg if you decide to use another internet provider)

+"We do have a VPN 3000 concentrator also, any idea where it should be placed ? Behind the PIX or Not ?"

-> Place it next to the firewall. Connect the external interface of the VPN3000 to the internet and if possible, the internal interface of the VPN3000 to one of the DMZ interfaces (or to the inside network if no dmz interface available). If you use a dmz interface, the decrypted data appears on the dmz interface and you can inspect the traffic while it goes through the firewall to the internal network.

+ "I am thinking that DNS,Web,Mail Servers should be protected by PIX, as all these need Access from Outside and PIX can perform Protocol inspection for all these. "

-> CORRECT

+ "However a Proxy Server doesn't need to be accessed from outside, so it can be protected using a state-full IOS firewall on the perimeter Router. However if there are no performance issues while using it behind the PIX, i would still like to do that. "

-> In general the PIX is faster than a statefull IOS, so there shouldn't be a performance issue. But this depends ofcourse of the numbers of users. I can't give you a clear answer to this question. If you look at the specs of the 515E you find a cleartext throughput of 188 Mbps.

I hope I was able solve some of your question?

Kind Regards,

Tom

New Member

Re: Web, DNS, Proxy etc Servers on 4-Port Ethernet Card on 515E

Thank you Tom. These were all very helpful suggestions.

Regards \\ Naman

Re: Web, DNS, Proxy etc Servers on 4-Port Ethernet Card on 515E

You 're welcome!!

Regards,

Tom

135
Views
3
Helpful
3
Replies
This widget could not be displayed.