Pix as ipsec endpoint only?

Discussion in 'Cisco' started by Marv, Apr 27, 2005.

  1. Marv

    Marv Guest

    Hello,

    Because of the way our Quest PRN network is setup and the fact that
    there is already a firewall in place on Quest's side, I was wondering
    if there is a way to configure the Pix just as an ipsec endpoint
    without all traffic passing through it? Could just one ethernet port
    be used with an internal IP address?

    Thanks.
    Marv, Apr 27, 2005
    #1
    1. Advertising

  2. In article <>,
    Marv <> wrote:
    :Because of the way our Quest PRN network is setup and the fact that
    :there is already a firewall in place on Quest's side, I was wondering
    :if there is a way to configure the Pix just as an ipsec endpoint
    :without all traffic passing through it? Could just one ethernet port
    :be used with an internal IP address?

    Yes, as long as the outer firewall allows the necessary ports or
    protocols through. See

    http://groups.google.ca/groups?selm=d43qv4$63t$
    --
    Warning: potentially contains traces of nuts.
    Walter Roberson, Apr 27, 2005
    #2
    1. Advertising

  3. Marv

    Marv Guest

    On 27 Apr 2005 17:18:14 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >Marv <> wrote:
    >:Because of the way our Quest PRN network is setup and the fact that
    >:there is already a firewall in place on Quest's side, I was wondering
    >:if there is a way to configure the Pix just as an ipsec endpoint
    >:without all traffic passing through it? Could just one ethernet port
    >:be used with an internal IP address?
    >
    >Yes, as long as the outer firewall allows the necessary ports or
    >protocols through. See
    >
    >http://groups.google.ca/groups?selm=d43qv4$63t$


    Thanks for the resonse.

    Allowing the ports inbound will not be a problem.

    Do I need to connect both ports of the Pix to an internal switch? Or
    can I just connect one with an internal IP address?

    Thanks.
    Marv, Apr 27, 2005
    #3
  4. In article <>,
    Marv <> wrote:
    |>In article <>,
    |>Marv <> wrote:
    |>:if there is a way to configure the Pix just as an ipsec endpoint
    |>:without all traffic passing through it? Could just one ethernet port
    |>:be used with an internal IP address?

    |Do I need to connect both ports of the Pix to an internal switch? Or
    |can I just connect one with an internal IP address?

    "Both ports" would tend to imply that you have a PIX 506 or 506E,
    as the other models either have more ports or are able to have more
    ports.

    You reference to IPSec implies you are running PIX 6 -- PIX 5
    used a proprietary Private Link protocol. And that in turn implies
    that you are not running a PIX 510 or PIX Classic -- but that you
    are running a 500 series PIX.

    If you are using any of the 500 series PIX models that support PIX 6,
    *other than* the PIX 501, then if you run a new enough PIX 6.3
    version, you can get away with using just one physical port,
    provided that that one port can be connected through an 802.1Q trunk
    to a router. In such a situation, you can create "logical interfaces"
    on your PIX, each of which corresponds to a VLAN (with the base
    physical interface corresponding to the untagged native VLAN.)

    If you cannot or would prefer not to go the logical interface route,
    then unless you upgrade to PIX 7.0 (not available on the 501 or
    506/506E or 520), you will need to connect both the inside and
    outside interfaces to something.


    Note: I may have misunderstood your phrase "without all the
    traffic passing through it." The PIX is not able to just decapsulate
    packets and return them out the same physical interface: traffic
    to the PIX always goes through the usual logic sequence. PIX 6 with
    logical interfaces still has all of the Security Level, no traffic-
    bouncing logic. PIX 7 allows a number of these restrictions to be
    overridden -- for example, PIX 7 allows "transparent" firewalling
    with the inside and outside being in the same IP address space.
    --
    "Never install telephone wiring during a lightning storm." -- Linksys
    Walter Roberson, Apr 27, 2005
    #4
  5. Marv

    Marv Guest

    On 27 Apr 2005 19:11:20 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >Marv <> wrote:
    >|>In article <>,
    >|>Marv <> wrote:
    >|>:if there is a way to configure the Pix just as an ipsec endpoint
    >|>:without all traffic passing through it? Could just one ethernet port
    >|>:be used with an internal IP address?
    >
    >|Do I need to connect both ports of the Pix to an internal switch? Or
    >|can I just connect one with an internal IP address?
    >
    >"Both ports" would tend to imply that you have a PIX 506 or 506E,
    >as the other models either have more ports or are able to have more
    >ports.
    >
    >You reference to IPSec implies you are running PIX 6 -- PIX 5
    >used a proprietary Private Link protocol. And that in turn implies
    >that you are not running a PIX 510 or PIX Classic -- but that you
    >are running a 500 series PIX.
    >
    >If you are using any of the 500 series PIX models that support PIX 6,
    >*other than* the PIX 501, then if you run a new enough PIX 6.3
    >version, you can get away with using just one physical port,
    >provided that that one port can be connected through an 802.1Q trunk
    >to a router. In such a situation, you can create "logical interfaces"
    >on your PIX, each of which corresponds to a VLAN (with the base
    >physical interface corresponding to the untagged native VLAN.)
    >
    >If you cannot or would prefer not to go the logical interface route,
    >then unless you upgrade to PIX 7.0 (not available on the 501 or
    >506/506E or 520), you will need to connect both the inside and
    >outside interfaces to something.
    >
    >
    >Note: I may have misunderstood your phrase "without all the
    >traffic passing through it." The PIX is not able to just decapsulate
    >packets and return them out the same physical interface: traffic
    >to the PIX always goes through the usual logic sequence. PIX 6 with
    >logical interfaces still has all of the Security Level, no traffic-
    >bouncing logic. PIX 7 allows a number of these restrictions to be
    >overridden -- for example, PIX 7 allows "transparent" firewalling
    >with the inside and outside being in the same IP address space.



    The model I will be using is a Pix 501, so I'm assuming I will have to
    connect both interfaces to the same switch?

    The current gateway at the location is a Quest managed Cisco 1720. The
    internal interface on the 1720 is 192.168.0.1.

    What would be the best approach in this scenario?

    Thanks.
    Marv, Apr 28, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom Pouce

    3640 as VPN endpoint

    Tom Pouce, Jan 23, 2004, in forum: Cisco
    Replies:
    0
    Views:
    377
    Tom Pouce
    Jan 23, 2004
  2. Mike Doty
    Replies:
    1
    Views:
    566
  3. Jean Henchey
    Replies:
    5
    Views:
    4,648
    Jean Henchey
    Feb 25, 2005
  4. Aaron
    Replies:
    0
    Views:
    886
    Aaron
    Feb 23, 2007
  5. KDawg44

    Pix as Firewall Endpoint

    KDawg44, Aug 7, 2010, in forum: Cisco
    Replies:
    1
    Views:
    413
    KDawg44
    Aug 7, 2010
Loading...

Share This Page