Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX Routing

Reply
Thread Tools

PIX Routing

 
 
RG
Guest
Posts: n/a
 
      12-08-2009
My topology is as follows:

Cisco modem router ( external ip: xxx.xxx.xxx.248, internal ip:
xxx.xxx.xxx.249)
||
|| Subnet 255.255.255.248
V
Cisco pix 501
||
||
V
Mail server

This mail server is currently NATed where static command says all
connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
Also, appropriate access-list has been setup.

I would like to change the mailserver ip to xxx.xxx.xxx.252, and have
pix 501 route port 25 requests to this mail server. Does this mean I
have to use up 2 more static ip's, an ip for pix's external interface
and an ip for pix's internal interface? Or if you have a different
way to do it, I would appreciate if you could let me know.


Thanks in advance
 
Reply With Quote
 
 
 
 
Techno_Guy
Guest
Posts: n/a
 
      12-09-2009
On Dec 8, 4:17*pm, RG <(E-Mail Removed)> wrote:
> My topology is as follows:
>
> Cisco modem router *( external ip: xxx.xxx.xxx.248, internal ip:
> xxx.xxx.xxx.249)
> ||
> || * * * * * * * * *Subnet 255.255.255.248
> V
> Cisco pix 501
> ||
> ||
> V
> Mail server
>
> This mail server is currently NATed where *static command says all
> connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
> Also, appropriate access-list has been setup.
>
> I would like to change the mailserver ip to *xxx.xxx.xxx.252, and have
> pix 501 route port 25 requests to this mail server. *Does this mean I
> have to use up 2 more static ip's, an ip for pix's external interface
> and an ip for pix's internal interface? *Or if you have a different
> way to do it, I would appreciate if you could let me know.
>
> Thanks in advance


You lost me...

Let just summarize to make sure I understand.
1 You want to change the ip address of the mail server
2 What are you doing with the old ip of the current email server?

The pix is not routing port 25 traffic, it is translating.

Is the outside interface of the pix currently running a public address
or a private address?
 
Reply With Quote
 
 
 
 
RG
Guest
Posts: n/a
 
      12-09-2009
On Dec 9, 9:38*am, Techno_Guy <(E-Mail Removed)> wrote:
> On Dec 8, 4:17*pm, RG <(E-Mail Removed)> wrote:
>
>
>
>
>
> > My topology is as follows:

>
> > Cisco modem router *( external ip: xxx.xxx.xxx.248, internal ip:
> > xxx.xxx.xxx.249)
> > ||
> > || * * * * * * * * *Subnet 255.255.255.248
> > V
> > Cisco pix 501
> > ||
> > ||
> > V
> > Mail server

>
> > This mail server is currently NATed where *static command says all
> > connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
> > Also, appropriate access-list has been setup.

>
> > I would like to change the mailserver ip to *xxx.xxx.xxx.252, and have
> > pix 501 route port 25 requests to this mail server. *Does this mean I
> > have to use up 2 more static ip's, an ip for pix's external interface
> > and an ip for pix's internal interface? *Or if you have a different
> > way to do it, I would appreciate if you could let me know.

>
> > Thanks in advance

>
> You lost me...
>
> Let just summarize to make sure I understand.
> 1 You want to change the ip address of the mail server


I would like to change the ip address of mail server from internal
ip adress to public ip address.

> *2 What are you doing with the old ip of the current email server?
>
> The pix is not routing port 25 traffic, it is translating.


If I am not mistaken, there is something called "transparent" firewall
configuration where you are doing away with NAT and only do access-
list filtering.


>
> Is the outside interface of the pix currently running a public address
> or a private address?


The outside interface is running on public address.

Thanks for your help


 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      12-09-2009
RG <(E-Mail Removed)> writes:
> I would like to change the ip address of mail server from internal
>ip adress to public ip address.


Not on a PIX501 you can't. They are pure NAT boxes, nothing but NAT.
Even if you routed down public IPs through them, and put your internal
interface on public IPs, they'd still be doing NAT internally.

>If I am not mistaken, there is something called "transparent" firewall
>configuration where you are doing away with NAT and only do access-
>list filtering.


The 501 doesn't support transparent mode. The ASA's running new enough
code can do Transparent mode, but not the 501. With PCI-DSS requiring
NAT mode firewall with private IPs anyway, and in transparent mode you
need to have enough public IPs for all your systems, its not too
popular of an option. Other boxes do it better, having been around
alot longer supporting it, such as the Netscreen/Juniper or FortiGates.

>> Is the outside interface of the pix currently running a public address
>> or a private address?


>The outside interface is running on public address.


Which is where it'll have to stay on a 501.

 
Reply With Quote
 
RG
Guest
Posts: n/a
 
      12-09-2009
On Dec 9, 11:03*am, Doug McIntyre <(E-Mail Removed)> wrote:
> RG <(E-Mail Removed)> writes:
> > *I would like to change the ip address of mail server from internal
> >ip adress to public ip address.

>
> Not on a PIX501 you can't. They are pure NAT boxes, nothing but NAT.
> Even if you routed down public IPs through them, and put your internal
> interface on public IPs, they'd still be doing NAT internally.
>
> >If I am not mistaken, there is something called "transparent" firewall
> >configuration where you are doing away with NAT and only *do access-
> >list filtering.

>
> The 501 doesn't support transparent mode. The ASA's running new enough
> code can do Transparent mode, but not the 501. With PCI-DSS requiring
> NAT mode firewall with private IPs anyway, and in transparent mode you
> need to have enough public IPs for all your systems, its not too
> popular of an option. Other boxes do it better, having been around
> alot longer supporting it, such as the Netscreen/Juniper or FortiGates.
>
> >> Is the outside interface of the pix currently running a public address
> >> or a private address?

> >The outside interface is running on public address.

>
> Which is where it'll have to stay on a 501.



For purposes of transparent firewall, which one would you recommend
more Netscreen/Juniper or FortiGates?

I found that cisco pix 501 very descent and solid firewall. It is
highly configurable and doesn't seem to break.
Would you say the same about Netscreen/Juniper or FortiGates when used
in transparent mode?
Also, is Netscreen/Juniper or FortiGates sip aware?

Thanks again
 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      12-09-2009
RG <(E-Mail Removed)> writes:
>For purposes of transparent firewall, which one would you recommend
>more Netscreen/Juniper or FortiGates?


I haven't used the new Juniper SRX's, so I can't say how stable they
are. With Juniper's reputation, and past experience with the Netscreen
and SSG boxes, they should be solid.

I've been using FortiGate for all my deployments in the past 3 years.
I'd say they are the way to go, very solid and dependable. Huge range
of products, so it may be hard to choose what you need, if you are
talking about a 501, though, a 50B is plenty for your needs.
The bigger ones might be nicer if you need more ports/zones for your network.

>I found that cisco pix 501 very descent and solid firewall. It is
>highly configurable and doesn't seem to break.
>Would you say the same about Netscreen/Juniper or FortiGates when used
>in transparent mode?


Definately. World apart from Sonicwall and the others in their class.
Junpier and Fortinet make good products (like cisco).

>Also, is Netscreen/Juniper or FortiGates sip aware?


Yep. SIP and H.232 are fully supported. You do have to configure
things specificly to recognize these protocols, so make sure to read
up on the technotes.
 
Reply With Quote
 
alexd
Guest
Posts: n/a
 
      12-10-2009
Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, Doug
McIntyre chose the tried and tested strategy of:

> RG <(E-Mail Removed)> writes:


>>Would you say the same about Netscreen/Juniper or FortiGates when used
>>in transparent mode?


> Definately. World apart from Sonicwall and the others in their class.
> Junpier and Fortinet make good products (like cisco).


I regularly see you recommend Juniper here. Could you suggest an
introductory guide to SSG that would make sense to someone who was familiar
with IOS, ASA and SonicOS?

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
19:23:02 up 12 days, 23:14, 7 users, load average: 0.04, 0.13, 0.11
Plant food is a made up drug

 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      12-10-2009
alexd <(E-Mail Removed)> writes:
>I regularly see you recommend Juniper here. Could you suggest an
>introductory guide to SSG that would make sense to someone who was familiar
>with IOS, ASA and SonicOS?


Hmm, I've probably been pushing Fortigate more often lately, having
deployed them alot more in the last few years than Juniper firewall
setups (although I did plenty of those in the past as well, as well as
PIX deployements). Plenty of Transparent mode setups on either of the
Juniper or Fortigate setups, although not too many lately.

The SSG's are all EOL'd, replaced the SRX's, which are vastly
different boxes. The SSG was just another version of the Netscreen products.
The SRX is when they converted everything over to JunOSse.

I don't know of any high-level comparisons without going and getting a
book for the Juniper/Netscreen ones. There are a few good ones on
Netscreen Firewalls, but a couple I've read had some good high point
overviews of Juniper vs. Cisco.

BUT what I usually go for is going direct to the source documentation,
which all 3 companies have fully online, open to the public.

Like any computer documentation, each company has its own "style" and
layout, and it does take a bit of thinking to get used to their style
of doing things.

Ie. if you did want to start with the older, EOL'd SSG boxes, the
Fundementals of the Netscreen Concepts and Examples manual is where to start.

http://www.juniper.net/techpubs/soft...ndamentals.pdf

Just go up one level to the directory URL for the rest of the documentation in
that series, but the fundementals would be a good start.

The SRX documentation is here.
http://www.juniper.net/techpubs/soft...0.0/index.html

There's not really a good starting point with the SRX. Having other
JunOS experience helps alot. I have some M series routers that I
manage, but not any SRXs...

FortiNet's documentation starts here.

http://docs.fortinet.com/fgt.html

They probably have the most complete WebGUI interface, you can do 99%
of what you need to totally within the GUI without going to the CLI.
The Admin guide isn't quite as detailed as others, but should at least
show you the concepts of what it is capable of. Deeper understanding
of all only comes after having used them for sometime and deploying
specific solutions.
 
Reply With Quote
 
Andrey Tarasov
Guest
Posts: n/a
 
      12-11-2009
Doug McIntyre wrote:
> alexd <(E-Mail Removed)> writes:
>> I regularly see you recommend Juniper here. Could you suggest an
>> introductory guide to SSG that would make sense to someone who was familiar
>> with IOS, ASA and SonicOS?

>


> The SSG's are all EOL'd, replaced the SRX's, which are vastly
> different boxes. The SSG was just another version of the Netscreen products.
> The SRX is when they converted everything over to JunOSse.



That's not completely correct. SSG5, 20, 320M/350M/520M and 550M are
still being sold. Last four (M ones) can be also converted into J-series
routers and run JUNOS-ES, which would make them SRX-like.

Best way to approach SRX training (along with EX switches and J-series
routers) is to sign up for FastTrack program -

https://learningportal.juniper.net/j...rack_home.aspx

Regards,
Andrey.
 
Reply With Quote
 
RG
Guest
Posts: n/a
 
      12-13-2009
Is $300 a lot to pay for new 50b?

Thanks,
"Doug McIntyre" <(E-Mail Removed)> wrote in message
news:4b1fddca$0$33859$(E-Mail Removed). net...
> RG <(E-Mail Removed)> writes:
>>For purposes of transparent firewall, which one would you recommend
>>more Netscreen/Juniper or FortiGates?

>
> I haven't used the new Juniper SRX's, so I can't say how stable they
> are. With Juniper's reputation, and past experience with the Netscreen
> and SSG boxes, they should be solid.
>
> I've been using FortiGate for all my deployments in the past 3 years.
> I'd say they are the way to go, very solid and dependable. Huge range
> of products, so it may be hard to choose what you need, if you are
> talking about a 501, though, a 50B is plenty for your needs.
> The bigger ones might be nicer if you need more ports/zones for your
> network.
>
>>I found that cisco pix 501 very descent and solid firewall. It is
>>highly configurable and doesn't seem to break.
>>Would you say the same about Netscreen/Juniper or FortiGates when used
>>in transparent mode?

>
> Definately. World apart from Sonicwall and the others in their class.
> Junpier and Fortinet make good products (like cisco).
>
>>Also, is Netscreen/Juniper or FortiGates sip aware?

>
> Yep. SIP and H.232 are fully supported. You do have to configure
> things specificly to recognize these protocols, so make sure to read
> up on the technotes.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix 501 - routing from pix subnet to another (dir-655) question ra170 Cisco 1 11-22-2010 04:46 AM
intervlan routing and policy routing C3750 or C 4948 Sied@r Cisco 3 10-20-2005 08:42 PM
integrating new 3550 with routing into existing routing structure? joeblow Cisco 3 03-14-2005 08:50 AM
exchange routes between global IP routing table and VRF routing table zher Cisco 2 11-04-2004 11:28 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments