Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > A Tale of Two PIXes

Reply
Thread Tools

A Tale of Two PIXes

 
 
Dustin
Guest
Posts: n/a
 
      11-17-2005
Alright, I will lay this out as clearly as possible. Currently, we
have a T1 at our main location, and it is connected to a 2600 router.
That router is connected to a PIX 515 that has a DMZ off of one
interface. From the inside interface, the PIX attaches to out 6509
switch. The 6509 is really the workhourse of our network, and perform
routing, as we have about 15 other switches off of it, and VLANs.

At our COLO facility, we have a 10MB ethernet handoff for Internet
access (it is throttled to 4MB, however). This is attached to a PIX
515E, and there is no DMZ. The inside interface attaches to an HP
switch. In order to link our COLO to our main site, we have a 100MB
ethernet handoff to the HP switch, and at the other end, another 100MB
ethernet handoff to our 6509. Instead of just using it as a flat
ethernet network, we have isolated that 100MB link with VLANs, but it
is not trunking (for instance, there are no VLANs shared accross the
100MB link).

So, the intent is to start using the 4MB link for all of Internet
traffic, as our T1 is getting maxed out at peak hours. Later, we may
try to utilize both. But to start out, we got all devices at the COLO
working through the 4MB connection. These devices could also
communicate with all the devices on our main site, all VLANs, including
the DMZ devices.

We configured the PIX 515E with static mappings for all resources that
the PIX 515 was providing, but obviously, with new IPs, as it is a
different block. I tested the PIX 515E to make sure it was forwarding
traffic. This worked well. So, the plan was to change the default
route on the 6509 from pointing to the PIX 515, and have it point to
the HP Switch at the COLO. Then, we would change the PIX 515 default
route from the 2600 to the 6509. Given that the inside interface of
the PIX has a higher security level than the DMZ interface, I figured
this would allow the traffic to pass just fine.

Showtime. I get in early and change the default route on the 6509.
Devices on the inside are not working. It turns out, NAT was not
established on the PIX 515E. No big deal to fix. Besides, all devices
on the main network that had static mappings worked, and we could gain
access to them from the outside with the new IPs from the 4MB link. So
that all seems fine. However, no devices on the DMZ were accessible.
Again, this DMZ is on the far side of the equation, and is not really
setup as a DMZ, but that is not something that can be addressed at this
time.

The crux of the issue is, I need for the resources in the DMZ on the
PIX 515 to be accessible from the Internet connection that is across
out "etherne MAN" and connected by the PIX 515E. The routing seems to
work fine for everything else, so I am not sure that is an issue. The
rules in the PIX also seem fine. Is it possible to A) have the default
route of the PIX 515 go through the inside interface (I can not see why
not), and B) to have the DMZ accessible via the inside interface
(again, I can not see why not). I guess I am really just asking some
opinions of what may be limiting those resources. I am having a mental
block. The rules ACLs seem fine on the PIX 515E, and surely traffic
can traverse easily from a security100 interface to a security10
interface. I know that I can get from the PIX 515E at the COLO network
to the DMZ devices.

Here is an ASCII diagram (better with fixed font):

_______________
_/ \_
__/ \__
/ \
| Internet |
| |
\__ __/
\_ _/
\_______________/
/ \
/ \
/ \
/_ _\
/ \
A / \ B
____/____ ___\____
|__2600___| |__PIX___|
____|____ Inside ___|_____ Inside
|___PIX___|--- |HP_Switch|
DMZ |_C_____ | D E |
|Cisco_Switch| | |
_|____________|_
| |
| |
| |
| 6509 |
| |
| |
|________________|

 
Reply With Quote
 
 
 
 
Vincent C Jones
Guest
Posts: n/a
 
      11-17-2005
In article <(E-Mail Removed) .com>,
Dustin <(E-Mail Removed)> wrote:
>Alright, I will lay this out as clearly as possible. Currently, we
>have a T1 at our main location, and it is connected to a 2600 router.
>That router is connected to a PIX 515 that has a DMZ off of one
>interface. From the inside interface, the PIX attaches to out 6509
>switch. The 6509 is really the workhourse of our network, and perform
>routing, as we have about 15 other switches off of it, and VLANs.
>
>At our COLO facility, we have a 10MB ethernet handoff for Internet
>access (it is throttled to 4MB, however). This is attached to a PIX
>515E, and there is no DMZ. The inside interface attaches to an HP
>switch. In order to link our COLO to our main site, we have a 100MB
>ethernet handoff to the HP switch, and at the other end, another 100MB
>ethernet handoff to our 6509. Instead of just using it as a flat
>ethernet network, we have isolated that 100MB link with VLANs, but it
>is not trunking (for instance, there are no VLANs shared accross the
>100MB link).
>
>So, the intent is to start using the 4MB link for all of Internet
>traffic, as our T1 is getting maxed out at peak hours. Later, we may
>try to utilize both. But to start out, we got all devices at the COLO
>working through the 4MB connection. These devices could also
>communicate with all the devices on our main site, all VLANs, including
>the DMZ devices.
>
>We configured the PIX 515E with static mappings for all resources that
>the PIX 515 was providing, but obviously, with new IPs, as it is a
>different block. I tested the PIX 515E to make sure it was forwarding
>traffic. This worked well. So, the plan was to change the default
>route on the 6509 from pointing to the PIX 515, and have it point to
>the HP Switch at the COLO. Then, we would change the PIX 515 default
>route from the 2600 to the 6509. Given that the inside interface of
>the PIX has a higher security level than the DMZ interface, I figured
>this would allow the traffic to pass just fine.
>
>Showtime. I get in early and change the default route on the 6509.
>Devices on the inside are not working. It turns out, NAT was not
>established on the PIX 515E. No big deal to fix. Besides, all devices
>on the main network that had static mappings worked, and we could gain
>access to them from the outside with the new IPs from the 4MB link. So
>that all seems fine. However, no devices on the DMZ were accessible.
>Again, this DMZ is on the far side of the equation, and is not really
>setup as a DMZ, but that is not something that can be addressed at this
>time.
>
>The crux of the issue is, I need for the resources in the DMZ on the
>PIX 515 to be accessible from the Internet connection that is across
>out "etherne MAN" and connected by the PIX 515E. The routing seems to
>work fine for everything else, so I am not sure that is an issue. The
>rules in the PIX also seem fine. Is it possible to A) have the default
>route of the PIX 515 go through the inside interface (I can not see why
>not), and B) to have the DMZ accessible via the inside interface
>(again, I can not see why not). I guess I am really just asking some
>opinions of what may be limiting those resources. I am having a mental
>block. The rules ACLs seem fine on the PIX 515E, and surely traffic
>can traverse easily from a security100 interface to a security10
>interface. I know that I can get from the PIX 515E at the COLO network
>to the DMZ devices.
>
>Here is an ASCII diagram (better with fixed font):
>
> _______________
> _/ \_
> __/ \__
> / \
> | Internet |
> | |
> \__ __/
> \_ _/
> \_______________/
> / \
> / \
> / \
> /_ _\
> / \
> A / \ B
> ____/____ ___\____
> |__2600___| |__PIX___|
> ____|____ Inside ___|_____ Inside
> |___PIX___|--- |HP_Switch|
> DMZ |_C_____ | D E |
> |Cisco_Switch| | |
> _|____________|_
> | |
> | |
> | |
> | 6509 |
> | |
> | |
> |________________|
>


I suspect your problems are a natural side effect of the rules set up
originally for outside access to your DMZ. As originally configured
(before adding the link to your COLO), the only traffic which should
be alllowed into the DMZ from the inside interface should be from
inside IP addresses. Any other source addresses would be spoofed
and should be rejected.

If I were you (and I'm not, and this is free advice so you can take
it for what you paid for it), Most COLO facilities I've worked with
are logically outside and DMZ, not outside and inside (despite what
the ports are labeled). I would drop back five and reevaluate
exactly what I am trying to accomplish. Taking a piecemeal, hack
at a time approach to firewall setup is virtually guaranteed to
introduce flaws in the protection provided. Define your security
policies (what access is allowed from inside to outside, outside
to inside, outside to DMZ, DMZ to inside, etc.) and look at where
the firewalls belong and where the interconnects belong.

Only you can determine the proper tradeoffs between security and
performance and cost (hint, you only get to choose two out of three),
so take any blanket recommendations you get with a grain of salt,
including this one.

Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
 
 
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      11-17-2005
* Dustin wrote:
> The crux of the issue is, I need for the resources in the DMZ on the
> PIX 515 to be accessible from the Internet connection that is across
> out "etherne MAN" and connected by the PIX 515E.


You need active-active failover to enable asr-routing.
 
Reply With Quote
 
Dustin
Guest
Posts: n/a
 
      11-17-2005
That is not exactly what I am looking to do, but thanks. We will
probably consider at a later time.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco PIXes. - Connection closed by remote host nnieto Hardware 0 03-08-2008 05:25 PM
Tale of two sisters - Thai DVD release? Arminio Grgic DVD Video 6 06-21-2004 06:25 AM
A tale of two policies? Adam Leinss MCSE 2 01-07-2004 05:52 PM
Re: How High Available Core Switches work with failover PIXes? Hansang Bae Cisco 0 07-18-2003 11:33 PM
Re: How High Available Core Switches work with failover PIXes? Jericho Cisco 1 07-18-2003 03:52 AM



Advertisments