«

Hi Guys,

I am trying to re-design a network for the company I work for but dont
quite have the right idea's, so I hope you guys can help me out. Ok...
The network currently consists of a single PIX 515 and the ISP border
router, I have been asked to enable the network to be ready for a
global MPLS network and to connect various internal subnet's together -
there are 2 distinct networks currently. I understand that I need a
layer 3 device somewhere to do the routing. I was going to use a Cisco
layer 3 switch, as all interconnects are either FE@100mbps or some type
of RJ-45 presented MPLS WAN link, on the internal LAN sitting between
the LAN and the PIX.

I have just realised that the PIX has various entries for different
internal hosts allowing certain ports that would quite clearly not work
if I put that switch on the inside between it and the internal hosts. I
was planning on leaving the internal IP address scheme as is, and
re-designing from the switches external interface outwards, therefore
altering the PIX's internal IP address.



What a mess, I hope that makes.

Thanks in advance

Himura

Hi,

"Himura" <> wrote in message
news: oups.com...
> Hi Guys,
>
> I am trying to re-design a network for the company I work for but dont
> quite have the right idea's, so I hope you guys can help me out. Ok...
> The network currently consists of a single PIX 515 and the ISP border
> router, I have been asked to enable the network to be ready for a
> global MPLS network and to connect various internal subnet's together -
> there are 2 distinct networks currently. I understand that I need a
> layer 3 device somewhere to do the routing. I was going to use a Cisco
> layer 3 switch, as all interconnects are either FE@100mbps or some type
> of RJ-45 presented MPLS WAN link, on the internal LAN sitting between
> the LAN and the PIX.
>

will you have direct links between your networks and enable MPLS on your own
network (why?) or will your provider make MPLS VPN for interconnecting your
networks through their MPLS cloud? In later case the only thing you need to
be concerned with is how routing will be done. Think of providers MPLS cloud
as a single router where all your networks are connected to. So you will
need to make routing between your networks via this single "virtual" router
of the provider (yes, even there are many routers on the provider network
you won't see them). Most of the work will actually be done by the provider
and will be transparent for you.

> I have just realised that the PIX has various entries for different
> internal hosts allowing certain ports that would quite clearly not work
> if I put that switch on the inside between it and the internal hosts. I
> was planning on leaving the internal IP address scheme as is, and
> re-designing from the switches external interface outwards, therefore
> altering the PIX's internal IP address.
>
It's rather difficult to visualize your current and future networks based
just on the description. Do you have a network diagram (in ASCII format)?

By the way, if it's your provider who will make MPLS VPN for you, what's
name of it?

Kind regards,
iLya

Sorry about the confusing first post. The MPLS is coming in to link
offices which are located all around the world. It is most probably
going to be connected to this office through its own router, but that
router will need to connect to the internal LAN through the internal
router.

The other links from that internal router are,
1. to another network in the same office that now need to see each
other.
2. Another PIX for more DMZ connections
3. The existing PIX for internet connectivity and VPN.

The issue I think I will face is when I remove the exisiting PIX from
being the default gateway on the LAN. The port mapping on the PIX will
no longer work as all internal LAN traffic will go through the internal
router, therefore appearing to come from 1 ip address. Is that correct?

Also forgot to mention, im very ordinary with complex network issues. I
only have a CCNA.

Thanks Again

"Himura" <> wrote in message
news: oups.com...
> Sorry about the confusing first post. The MPLS is coming in to link
> offices which are located all around the world. It is most probably
> going to be connected to this office through its own router, but that
> router will need to connect to the internal LAN through the internal
> router.
>
> The other links from that internal router are,
> 1. to another network in the same office that now need to see each
> other.
> 2. Another PIX for more DMZ connections
> 3. The existing PIX for internet connectivity and VPN.
>
There are few options how Internet connectivity provided for VPN - it can be
directly availble to every site, or only to the main site, or it could be
shared or dedicated Internet gateway at the provider premises. So exact
configuration will pretty much depend on what you provider offers. Number of
PIX'es and routers is not really an issue, only off-site connectivity is
affected.

> The issue I think I will face is when I remove the exisiting PIX from
> being the default gateway on the LAN. The port mapping on the PIX will
> no longer work as all internal LAN traffic will go through the internal
> router, therefore appearing to come from 1 ip address. Is that correct?
>
A network diagram would be really helpful. If traffic will no longer go
through PIX then obviously it doesn't matter how PIX is configred and you
have to transfer functionality to your router (if required). Why would
traffic appears from 1 IP?

Kind regards,
iLya

OK this is the network as is.



LAN A -----PIX -----Internet
|
|
LAN B -----PIX-----Internet



Proposed new network.

MPLS Router
| 2x
LAN A -----L3 Switch-----PIX -----Internet
|
|
LAN B -----PIX-----Internet

"Himura" <> wrote in message
news: ups.com...
> OK this is the network as is.
>
>
>
> LAN A -----PIX -----Internet
> |
> |
> LAN B -----PIX-----Internet
>
>
>
> Proposed new network.
>
> MPLS Router
> | 2x
> LAN A -----L3 Switch-----PIX -----Internet
> |
> |
> LAN B -----PIX-----Internet
>

What is connecting LAN A and B? If there is no routers between PIX'es and
LAN A/B, I'd suggest you to connect MPLS router(s) to a DMZ interface of
PIX'es instead, and run OSPF or RIP between MPLS router and PIX'es (unless
you want to put static route for every network that should be available over
MPLS), while having default route on PIX'es pointing towards the router from
your internet provider. This way your users will still have only one default
gateway (master address of the PIX), therefore no configuration changes for
them. On the pix you will also keep all your existing NAT and firewall
rules. Something like following will do:

LAN_A -+--PIX--+------[MPLS_Router]------>[MPLS]---<other_sites>
| |
| |
| outside
| |
inside |
| |
| |
LAN_B -+--PIX--+------[Inet_Router]------>Internet

You can run two VLAN's on [inside] interface of the firewalls, so both
firewalls will be available in each VLAN for redundancy.

Kind regards,
iLya

That is 2 x PIX, only 1 L3 Switch.

LAN A needs to use LAN B internet connection, but no direct access to
LAN B.

Main issue is putting in a router between LAN A and its PIX, and the
result that will have of the rules that currently exist on that PIX in
term of port mapping. Currently PIX is defualt gateway, that will
change to Router on LAN A, so the PIX will now only see the router
instead of the hosts on LAN A.

Cheers

"Himura" <> wrote in message
news: oups.com...
> LAN A needs to use LAN B internet connection, but no direct access to
> LAN B.
>
> Main issue is putting in a router between LAN A and its PIX, and the
> result that will have of the rules that currently exist on that PIX in
> term of port mapping. Currently PIX is defualt gateway, that will
> change to Router on LAN A, so the PIX will now only see the router
> instead of the hosts on LAN A.
>

Don't put a router between LAN A and PIX, just split PIX physical "inside"
interface into VLAN's.

Kind regards,
iLya

Ahh I see. Didn't know that was possible. Makes alot more sense now.

OK so next issue....The existing PIX has all its 6 interfaces occupied.
We need more DMZ interfaces so were thinking of getting another PIX
515. With no router between the LAN and PIX how would we connect the
second PIX?