Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 3550 -> PIX 515E -> 2950

Reply
Thread Tools

3550 -> PIX 515E -> 2950

 
 
Jan
Guest
Posts: n/a
 
      09-13-2004
We are small ISP and would like to use Pix for firewalling our
colocation customers.

We have 3550 switches where an VLAN for each customer
is defined and 2950 switches where customer equipment is
connected. Is it possible to place Pix 515E between them?
It must pass the VLAN trunking.

3550 VLAN 10 -> PIX 515E -> 2950 VLAN 10

I would like to use 2 security zones on the PIX. One for
Unix machines and one for Windows machines. Remote
management should be done with VPN connection to
the 515E.



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-13-2004
In article <4145c017$0$767$(E-Mail Removed) >,
Jan <(E-Mail Removed)> wrote:
:We are small ISP and would like to use Pix for firewalling our
:colocation customers.

:We have 3550 switches where an VLAN for each customer
:is defined and 2950 switches where customer equipment is
:connected. Is it possible to place Pix 515E between them?
:It must pass the VLAN trunking.

:3550 VLAN 10 -> PIX 515E -> 2950 VLAN 10

Well, sort of, but more No than Yes.

In order to handle VLANs on the PIX, you need to define "logical"
interfaces -- one logical interface per VLAN per physical interface.
So you could define a logical interface on the outside of the 515E
that was in VLAN 10, and you could define a logical interface on
the inside of the 515E that was in VLAN 10, and the net result would
be VLAN 10 flowing through the 515E... but only if the routings/ACLs
on the 515E were such that it wasn't possible to route incoming
VLAN 10 to outgoing VLAN 20.

You cannot define a port-based VLAN on the PIX, only IP range based VLANs,
so the VLAN gets stripped off, the packet gets routed according to
the internal routing tables [which can NOT be parameterized by VLAN],
and the appropriate outgoing VLAN gets slapped on to the packet as it
leaves the physical interface. You can, I am sure, see all kinds
of difficulties in using this for what you wanted to do. And
if the desired IP range for VLAN 10 overlaps with the desired
IP range for outgoing VLAN 20, then you are SOL, as the IP ranges
for interfaces may not overlap.

In -some- circumstances, you could get around some of these problems
through clever use of policy nat and reverse nat, but I think it should
be clear by now that the 515E was really not designed for what you would
like to do. There's also the small problem that even with the
Unrestricted license, the 515E can handle a total of only 10 interfaces
[up to 6 physical, up to 6 logical, total between them not to exceed 10.]


If you have the right kind of 3550's (e.g., 3550G series) then you might
find it easier to put the desired filters in at the 3550 level. But that's
just filters, not a true firewall.


I have heard that PIX 7.0 might support pass-through filters; it
probably still wouldn't handle enough on a 515E for your situation
though.

If you have more than ~15 customers, then your run out of room to
do the above kinds of configuration on PIX models; if you really want
to stick with the PIX security model, you would then have to go
for a 650x or 720xVXR series with a FWSM -- which is certainly a
fast module, but it is very expensive!!


I am not experienced in network design, but it sounds to me as if
perhaps you are trying to put the firewall at the wrong point in
the topology. If the customers are already separated into VLANs, and
the VLANs are not supposed to talk to each other, then unless you
don't trust the VLAN implimentation not to "leak" VLANs into each
other, then the firewall would most naturally go at the public
interface for each VLAN -- the point at which the protected innards
meets the public WANs.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bandwidth Limiting on PIX 515E or Catalyst 2950 Alex Cisco 2 02-23-2004 09:32 PM
Monitoring a network using a Catalyst 2950(EI) and PIX 515E Rob Hulme Cisco 1 01-21-2004 09:16 PM
Re: Differences between 3550-24-SMI and 3550-24-EMI Steinar Haug Cisco 0 10-20-2003 02:59 PM
Differences between 3550-24-SMI and 3550-24-EMI JohnNews Cisco 10 10-20-2003 12:33 PM
Catalyst 3550 EMI Upgrade Kit (CD-3550-EMI=) problem! show version = SMI desdronox Cisco 1 07-10-2003 02:08 AM



Advertisments