Here's the deal. I have a linksys firewall that connects to my cable modem. Behind that I have a wireless AP. Behind that AP I have a 1720 router with some ACLs acting as a secondary firewall. Thus creating some sort of DMZ. Problem is......... I have a web server and exchange server that I don't want to put in te DMZ. I Want to keep them behind the 1720. The linksys firewall can only NAT to the DMZ network. If I turn on NAT on the 1720, and make static NAT entries on the 1720 for mail and such then on the Linksys,make NAT entries for mail and web point to the 1720 DMZ interface. Will that work?
Sure, I've actually done this w/ 2 Pix 506E's and it does work just fine. Bottom line, an inexpensive workaround to not having to dump 4k+ on a 515E. The config does create a mock screened subnet or DMZ. Not really any tricks to it, just use statics, NAT & global on the internal Pix which destinate onto the "DMZ" private addresses. On the external firewall, use 1-1 NAT (or whatever it's called) for the "DMZ" Pix static mappings to the actual public IP's:
10.0.0.1 <--> 192.168.0.1 <--> public IP
Only drawbacks I can think of are performance related - w/ ingress/egress filtering on both units, an extra network hop, two layers of nested NAT, two layers of IPSec overhead, & two layers of nested static mappings, the LAN users will notice a performance hit.
Also, the rulebase configs can get dicey. I configured VPN access to both, but on the external unit, you will need to open ports like 50/esp, 500/udp, to the internal Pix. Also, egress filtering on the external Pix I haven't gotten quite right yet w/o unexpectedly denying access to someone.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :