3550 -> PIX 515E -> 2950

Discussion in 'Cisco' started by Jan, Sep 13, 2004.

  1. Jan

    Jan Guest

    We are small ISP and would like to use Pix for firewalling our
    colocation customers.

    We have 3550 switches where an VLAN for each customer
    is defined and 2950 switches where customer equipment is
    connected. Is it possible to place Pix 515E between them?
    It must pass the VLAN trunking.

    3550 VLAN 10 -> PIX 515E -> 2950 VLAN 10

    I would like to use 2 security zones on the PIX. One for
    Unix machines and one for Windows machines. Remote
    management should be done with VPN connection to
    the 515E.
     
    Jan, Sep 13, 2004
    #1
    1. Advertising

  2. In article <4145c017$0$767$>,
    Jan <> wrote:
    :We are small ISP and would like to use Pix for firewalling our
    :colocation customers.

    :We have 3550 switches where an VLAN for each customer
    :is defined and 2950 switches where customer equipment is
    :connected. Is it possible to place Pix 515E between them?
    :It must pass the VLAN trunking.

    :3550 VLAN 10 -> PIX 515E -> 2950 VLAN 10

    Well, sort of, but more No than Yes.

    In order to handle VLANs on the PIX, you need to define "logical"
    interfaces -- one logical interface per VLAN per physical interface.
    So you could define a logical interface on the outside of the 515E
    that was in VLAN 10, and you could define a logical interface on
    the inside of the 515E that was in VLAN 10, and the net result would
    be VLAN 10 flowing through the 515E... but only if the routings/ACLs
    on the 515E were such that it wasn't possible to route incoming
    VLAN 10 to outgoing VLAN 20.

    You cannot define a port-based VLAN on the PIX, only IP range based VLANs,
    so the VLAN gets stripped off, the packet gets routed according to
    the internal routing tables [which can NOT be parameterized by VLAN],
    and the appropriate outgoing VLAN gets slapped on to the packet as it
    leaves the physical interface. You can, I am sure, see all kinds
    of difficulties in using this for what you wanted to do. And
    if the desired IP range for VLAN 10 overlaps with the desired
    IP range for outgoing VLAN 20, then you are SOL, as the IP ranges
    for interfaces may not overlap.

    In -some- circumstances, you could get around some of these problems
    through clever use of policy nat and reverse nat, but I think it should
    be clear by now that the 515E was really not designed for what you would
    like to do. There's also the small problem that even with the
    Unrestricted license, the 515E can handle a total of only 10 interfaces
    [up to 6 physical, up to 6 logical, total between them not to exceed 10.]


    If you have the right kind of 3550's (e.g., 3550G series) then you might
    find it easier to put the desired filters in at the 3550 level. But that's
    just filters, not a true firewall.


    I have heard that PIX 7.0 might support pass-through filters; it
    probably still wouldn't handle enough on a 515E for your situation
    though.

    If you have more than ~15 customers, then your run out of room to
    do the above kinds of configuration on PIX models; if you really want
    to stick with the PIX security model, you would then have to go
    for a 650x or 720xVXR series with a FWSM -- which is certainly a
    fast module, but it is very expensive!!


    I am not experienced in network design, but it sounds to me as if
    perhaps you are trying to put the firewall at the wrong point in
    the topology. If the customers are already separated into VLANs, and
    the VLANs are not supposed to talk to each other, then unless you
    don't trust the VLAN implimentation not to "leak" VLANs into each
    other, then the firewall would most naturally go at the public
    interface for each VLAN -- the point at which the protected innards
    meets the public WANs.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, Sep 13, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. desdronox
    Replies:
    1
    Views:
    2,936
    Terry Baranski
    Jul 10, 2003
  2. JohnNews
    Replies:
    10
    Views:
    6,757
    One Step Beyond
    Oct 20, 2003
  3. Steinar Haug
    Replies:
    0
    Views:
    739
    Steinar Haug
    Oct 20, 2003
  4. Rob Hulme
    Replies:
    1
    Views:
    634
    Walter Roberson
    Jan 21, 2004
  5. Alex
    Replies:
    2
    Views:
    5,186
    Walter Roberson
    Feb 23, 2004
Loading...

Share This Page