A Tale of Two PIXes

Discussion in 'Cisco' started by Dustin, Nov 17, 2005.

  1. Dustin

    Dustin Guest

    Alright, I will lay this out as clearly as possible. Currently, we
    have a T1 at our main location, and it is connected to a 2600 router.
    That router is connected to a PIX 515 that has a DMZ off of one
    interface. From the inside interface, the PIX attaches to out 6509
    switch. The 6509 is really the workhourse of our network, and perform
    routing, as we have about 15 other switches off of it, and VLANs.

    At our COLO facility, we have a 10MB ethernet handoff for Internet
    access (it is throttled to 4MB, however). This is attached to a PIX
    515E, and there is no DMZ. The inside interface attaches to an HP
    switch. In order to link our COLO to our main site, we have a 100MB
    ethernet handoff to the HP switch, and at the other end, another 100MB
    ethernet handoff to our 6509. Instead of just using it as a flat
    ethernet network, we have isolated that 100MB link with VLANs, but it
    is not trunking (for instance, there are no VLANs shared accross the
    100MB link).

    So, the intent is to start using the 4MB link for all of Internet
    traffic, as our T1 is getting maxed out at peak hours. Later, we may
    try to utilize both. But to start out, we got all devices at the COLO
    working through the 4MB connection. These devices could also
    communicate with all the devices on our main site, all VLANs, including
    the DMZ devices.

    We configured the PIX 515E with static mappings for all resources that
    the PIX 515 was providing, but obviously, with new IPs, as it is a
    different block. I tested the PIX 515E to make sure it was forwarding
    traffic. This worked well. So, the plan was to change the default
    route on the 6509 from pointing to the PIX 515, and have it point to
    the HP Switch at the COLO. Then, we would change the PIX 515 default
    route from the 2600 to the 6509. Given that the inside interface of
    the PIX has a higher security level than the DMZ interface, I figured
    this would allow the traffic to pass just fine.

    Showtime. I get in early and change the default route on the 6509.
    Devices on the inside are not working. It turns out, NAT was not
    established on the PIX 515E. No big deal to fix. Besides, all devices
    on the main network that had static mappings worked, and we could gain
    access to them from the outside with the new IPs from the 4MB link. So
    that all seems fine. However, no devices on the DMZ were accessible.
    Again, this DMZ is on the far side of the equation, and is not really
    setup as a DMZ, but that is not something that can be addressed at this
    time.

    The crux of the issue is, I need for the resources in the DMZ on the
    PIX 515 to be accessible from the Internet connection that is across
    out "etherne MAN" and connected by the PIX 515E. The routing seems to
    work fine for everything else, so I am not sure that is an issue. The
    rules in the PIX also seem fine. Is it possible to A) have the default
    route of the PIX 515 go through the inside interface (I can not see why
    not), and B) to have the DMZ accessible via the inside interface
    (again, I can not see why not). I guess I am really just asking some
    opinions of what may be limiting those resources. I am having a mental
    block. The rules ACLs seem fine on the PIX 515E, and surely traffic
    can traverse easily from a security100 interface to a security10
    interface. I know that I can get from the PIX 515E at the COLO network
    to the DMZ devices.

    Here is an ASCII diagram (better with fixed font):

    _______________
    _/ \_
    __/ \__
    / \
    | Internet |
    | |
    \__ __/
    \_ _/
    \_______________/
    / \
    / \
    / \
    /_ _\
    / \
    A / \ B
    ____/____ ___\____
    |__2600___| |__PIX___|
    ____|____ Inside ___|_____ Inside
    |___PIX___|--- |HP_Switch|
    DMZ |_C_____ | D E |
    |Cisco_Switch| | |
    _|____________|_
    | |
    | |
    | |
    | 6509 |
    | |
    | |
    |________________|
     
    Dustin, Nov 17, 2005
    #1
    1. Advertising

  2. In article <>,
    Dustin <> wrote:
    >Alright, I will lay this out as clearly as possible. Currently, we
    >have a T1 at our main location, and it is connected to a 2600 router.
    >That router is connected to a PIX 515 that has a DMZ off of one
    >interface. From the inside interface, the PIX attaches to out 6509
    >switch. The 6509 is really the workhourse of our network, and perform
    >routing, as we have about 15 other switches off of it, and VLANs.
    >
    >At our COLO facility, we have a 10MB ethernet handoff for Internet
    >access (it is throttled to 4MB, however). This is attached to a PIX
    >515E, and there is no DMZ. The inside interface attaches to an HP
    >switch. In order to link our COLO to our main site, we have a 100MB
    >ethernet handoff to the HP switch, and at the other end, another 100MB
    >ethernet handoff to our 6509. Instead of just using it as a flat
    >ethernet network, we have isolated that 100MB link with VLANs, but it
    >is not trunking (for instance, there are no VLANs shared accross the
    >100MB link).
    >
    >So, the intent is to start using the 4MB link for all of Internet
    >traffic, as our T1 is getting maxed out at peak hours. Later, we may
    >try to utilize both. But to start out, we got all devices at the COLO
    >working through the 4MB connection. These devices could also
    >communicate with all the devices on our main site, all VLANs, including
    >the DMZ devices.
    >
    >We configured the PIX 515E with static mappings for all resources that
    >the PIX 515 was providing, but obviously, with new IPs, as it is a
    >different block. I tested the PIX 515E to make sure it was forwarding
    >traffic. This worked well. So, the plan was to change the default
    >route on the 6509 from pointing to the PIX 515, and have it point to
    >the HP Switch at the COLO. Then, we would change the PIX 515 default
    >route from the 2600 to the 6509. Given that the inside interface of
    >the PIX has a higher security level than the DMZ interface, I figured
    >this would allow the traffic to pass just fine.
    >
    >Showtime. I get in early and change the default route on the 6509.
    >Devices on the inside are not working. It turns out, NAT was not
    >established on the PIX 515E. No big deal to fix. Besides, all devices
    >on the main network that had static mappings worked, and we could gain
    >access to them from the outside with the new IPs from the 4MB link. So
    >that all seems fine. However, no devices on the DMZ were accessible.
    >Again, this DMZ is on the far side of the equation, and is not really
    >setup as a DMZ, but that is not something that can be addressed at this
    >time.
    >
    >The crux of the issue is, I need for the resources in the DMZ on the
    >PIX 515 to be accessible from the Internet connection that is across
    >out "etherne MAN" and connected by the PIX 515E. The routing seems to
    >work fine for everything else, so I am not sure that is an issue. The
    >rules in the PIX also seem fine. Is it possible to A) have the default
    >route of the PIX 515 go through the inside interface (I can not see why
    >not), and B) to have the DMZ accessible via the inside interface
    >(again, I can not see why not). I guess I am really just asking some
    >opinions of what may be limiting those resources. I am having a mental
    >block. The rules ACLs seem fine on the PIX 515E, and surely traffic
    >can traverse easily from a security100 interface to a security10
    >interface. I know that I can get from the PIX 515E at the COLO network
    >to the DMZ devices.
    >
    >Here is an ASCII diagram (better with fixed font):
    >
    > _______________
    > _/ \_
    > __/ \__
    > / \
    > | Internet |
    > | |
    > \__ __/
    > \_ _/
    > \_______________/
    > / \
    > / \
    > / \
    > /_ _\
    > / \
    > A / \ B
    > ____/____ ___\____
    > |__2600___| |__PIX___|
    > ____|____ Inside ___|_____ Inside
    > |___PIX___|--- |HP_Switch|
    > DMZ |_C_____ | D E |
    > |Cisco_Switch| | |
    > _|____________|_
    > | |
    > | |
    > | |
    > | 6509 |
    > | |
    > | |
    > |________________|
    >


    I suspect your problems are a natural side effect of the rules set up
    originally for outside access to your DMZ. As originally configured
    (before adding the link to your COLO), the only traffic which should
    be alllowed into the DMZ from the inside interface should be from
    inside IP addresses. Any other source addresses would be spoofed
    and should be rejected.

    If I were you (and I'm not, and this is free advice so you can take
    it for what you paid for it), Most COLO facilities I've worked with
    are logically outside and DMZ, not outside and inside (despite what
    the ports are labeled). I would drop back five and reevaluate
    exactly what I am trying to accomplish. Taking a piecemeal, hack
    at a time approach to firewall setup is virtually guaranteed to
    introduce flaws in the protection provided. Define your security
    policies (what access is allowed from inside to outside, outside
    to inside, outside to DMZ, DMZ to inside, etc.) and look at where
    the firewalls belong and where the interconnects belong.

    Only you can determine the proper tradeoffs between security and
    performance and cost (hint, you only get to choose two out of three),
    so take any blanket recommendations you get with a grain of salt,
    including this one.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Nov 17, 2005
    #2
    1. Advertising

  3. * Dustin wrote:
    > The crux of the issue is, I need for the resources in the DMZ on the
    > PIX 515 to be accessible from the Internet connection that is across
    > out "etherne MAN" and connected by the PIX 515E.


    You need active-active failover to enable asr-routing.
     
    Lutz Donnerhacke, Nov 17, 2005
    #3
  4. Dustin

    Dustin Guest

    That is not exactly what I am looking to do, but thanks. We will
    probably consider at a later time.
     
    Dustin, Nov 17, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jericho
    Replies:
    1
    Views:
    819
    Erik Miller
    Jul 18, 2003
  2. Hansang Bae
    Replies:
    0
    Views:
    398
    Hansang Bae
    Jul 19, 2003
  3. Adam Leinss

    A tale of two policies?

    Adam Leinss, Jan 7, 2004, in forum: MCSE
    Replies:
    2
    Views:
    1,779
    Guest
    Jan 7, 2004
  4. Arminio Grgic

    Tale of two sisters - Thai DVD release?

    Arminio Grgic, Jun 15, 2004, in forum: DVD Video
    Replies:
    6
    Views:
    781
    Arminio Grgic
    Jun 21, 2004
  5. nnieto
    Replies:
    0
    Views:
    920
    nnieto
    Mar 8, 2008
Loading...

Share This Page