PIX Routing

Discussion in 'Cisco' started by RG, Dec 8, 2009.

  1. RG

    RG Guest

    My topology is as follows:

    Cisco modem router ( external ip: xxx.xxx.xxx.248, internal ip:
    xxx.xxx.xxx.249)
    ||
    || Subnet 255.255.255.248
    V
    Cisco pix 501
    ||
    ||
    V
    Mail server

    This mail server is currently NATed where static command says all
    connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
    Also, appropriate access-list has been setup.

    I would like to change the mailserver ip to xxx.xxx.xxx.252, and have
    pix 501 route port 25 requests to this mail server. Does this mean I
    have to use up 2 more static ip's, an ip for pix's external interface
    and an ip for pix's internal interface? Or if you have a different
    way to do it, I would appreciate if you could let me know.


    Thanks in advance
    RG, Dec 8, 2009
    #1
    1. Advertising

  2. RG

    Techno_Guy Guest

    On Dec 8, 4:17 pm, RG <> wrote:
    > My topology is as follows:
    >
    > Cisco modem router  ( external ip: xxx.xxx.xxx.248, internal ip:
    > xxx.xxx.xxx.249)
    > ||
    > ||                  Subnet 255.255.255.248
    > V
    > Cisco pix 501
    > ||
    > ||
    > V
    > Mail server
    >
    > This mail server is currently NATed where  static command says all
    > connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
    > Also, appropriate access-list has been setup.
    >
    > I would like to change the mailserver ip to  xxx.xxx.xxx.252, and have
    > pix 501 route port 25 requests to this mail server.  Does this mean I
    > have to use up 2 more static ip's, an ip for pix's external interface
    > and an ip for pix's internal interface?  Or if you have a different
    > way to do it, I would appreciate if you could let me know.
    >
    > Thanks in advance


    You lost me...

    Let just summarize to make sure I understand.
    1 You want to change the ip address of the mail server
    2 What are you doing with the old ip of the current email server?

    The pix is not routing port 25 traffic, it is translating.

    Is the outside interface of the pix currently running a public address
    or a private address?
    Techno_Guy, Dec 9, 2009
    #2
    1. Advertising

  3. RG

    RG Guest

    On Dec 9, 9:38 am, Techno_Guy <> wrote:
    > On Dec 8, 4:17 pm, RG <> wrote:
    >
    >
    >
    >
    >
    > > My topology is as follows:

    >
    > > Cisco modem router  ( external ip: xxx.xxx.xxx.248, internal ip:
    > > xxx.xxx.xxx.249)
    > > ||
    > > ||                  Subnet 255.255.255.248
    > > V
    > > Cisco pix 501
    > > ||
    > > ||
    > > V
    > > Mail server

    >
    > > This mail server is currently NATed where  static command says all
    > > connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
    > > Also, appropriate access-list has been setup.

    >
    > > I would like to change the mailserver ip to  xxx.xxx.xxx.252, and have
    > > pix 501 route port 25 requests to this mail server.  Does this mean I
    > > have to use up 2 more static ip's, an ip for pix's external interface
    > > and an ip for pix's internal interface?  Or if you have a different
    > > way to do it, I would appreciate if you could let me know.

    >
    > > Thanks in advance

    >
    > You lost me...
    >
    > Let just summarize to make sure I understand.
    > 1 You want to change the ip address of the mail server


    I would like to change the ip address of mail server from internal
    ip adress to public ip address.

    >  2 What are you doing with the old ip of the current email server?
    >
    > The pix is not routing port 25 traffic, it is translating.


    If I am not mistaken, there is something called "transparent" firewall
    configuration where you are doing away with NAT and only do access-
    list filtering.


    >
    > Is the outside interface of the pix currently running a public address
    > or a private address?


    The outside interface is running on public address.

    Thanks for your help
    RG, Dec 9, 2009
    #3
  4. RG <> writes:
    > I would like to change the ip address of mail server from internal
    >ip adress to public ip address.


    Not on a PIX501 you can't. They are pure NAT boxes, nothing but NAT.
    Even if you routed down public IPs through them, and put your internal
    interface on public IPs, they'd still be doing NAT internally.

    >If I am not mistaken, there is something called "transparent" firewall
    >configuration where you are doing away with NAT and only do access-
    >list filtering.


    The 501 doesn't support transparent mode. The ASA's running new enough
    code can do Transparent mode, but not the 501. With PCI-DSS requiring
    NAT mode firewall with private IPs anyway, and in transparent mode you
    need to have enough public IPs for all your systems, its not too
    popular of an option. Other boxes do it better, having been around
    alot longer supporting it, such as the Netscreen/Juniper or FortiGates.

    >> Is the outside interface of the pix currently running a public address
    >> or a private address?


    >The outside interface is running on public address.


    Which is where it'll have to stay on a 501.
    Doug McIntyre, Dec 9, 2009
    #4
  5. RG

    RG Guest

    On Dec 9, 11:03 am, Doug McIntyre <> wrote:
    > RG <> writes:
    > >  I would like to change the ip address of mail server from internal
    > >ip adress to public ip address.

    >
    > Not on a PIX501 you can't. They are pure NAT boxes, nothing but NAT.
    > Even if you routed down public IPs through them, and put your internal
    > interface on public IPs, they'd still be doing NAT internally.
    >
    > >If I am not mistaken, there is something called "transparent" firewall
    > >configuration where you are doing away with NAT and only  do access-
    > >list filtering.

    >
    > The 501 doesn't support transparent mode. The ASA's running new enough
    > code can do Transparent mode, but not the 501. With PCI-DSS requiring
    > NAT mode firewall with private IPs anyway, and in transparent mode you
    > need to have enough public IPs for all your systems, its not too
    > popular of an option. Other boxes do it better, having been around
    > alot longer supporting it, such as the Netscreen/Juniper or FortiGates.
    >
    > >> Is the outside interface of the pix currently running a public address
    > >> or a private address?

    > >The outside interface is running on public address.

    >
    > Which is where it'll have to stay on a 501.



    For purposes of transparent firewall, which one would you recommend
    more Netscreen/Juniper or FortiGates?

    I found that cisco pix 501 very descent and solid firewall. It is
    highly configurable and doesn't seem to break.
    Would you say the same about Netscreen/Juniper or FortiGates when used
    in transparent mode?
    Also, is Netscreen/Juniper or FortiGates sip aware?

    Thanks again
    RG, Dec 9, 2009
    #5
  6. RG <> writes:
    >For purposes of transparent firewall, which one would you recommend
    >more Netscreen/Juniper or FortiGates?


    I haven't used the new Juniper SRX's, so I can't say how stable they
    are. With Juniper's reputation, and past experience with the Netscreen
    and SSG boxes, they should be solid.

    I've been using FortiGate for all my deployments in the past 3 years.
    I'd say they are the way to go, very solid and dependable. Huge range
    of products, so it may be hard to choose what you need, if you are
    talking about a 501, though, a 50B is plenty for your needs.
    The bigger ones might be nicer if you need more ports/zones for your network.

    >I found that cisco pix 501 very descent and solid firewall. It is
    >highly configurable and doesn't seem to break.
    >Would you say the same about Netscreen/Juniper or FortiGates when used
    >in transparent mode?


    Definately. World apart from Sonicwall and the others in their class.
    Junpier and Fortinet make good products (like cisco).

    >Also, is Netscreen/Juniper or FortiGates sip aware?


    Yep. SIP and H.232 are fully supported. You do have to configure
    things specificly to recognize these protocols, so make sure to read
    up on the technotes.
    Doug McIntyre, Dec 9, 2009
    #6
  7. RG

    alexd Guest

    Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, Doug
    McIntyre chose the tried and tested strategy of:

    > RG <> writes:


    >>Would you say the same about Netscreen/Juniper or FortiGates when used
    >>in transparent mode?


    > Definately. World apart from Sonicwall and the others in their class.
    > Junpier and Fortinet make good products (like cisco).


    I regularly see you recommend Juniper here. Could you suggest an
    introductory guide to SSG that would make sense to someone who was familiar
    with IOS, ASA and SonicOS?

    --
    <http://ale.cx/> (AIM:troffasky) ()
    19:23:02 up 12 days, 23:14, 7 users, load average: 0.04, 0.13, 0.11
    Plant food is a made up drug
    alexd, Dec 10, 2009
    #7
  8. alexd <> writes:
    >I regularly see you recommend Juniper here. Could you suggest an
    >introductory guide to SSG that would make sense to someone who was familiar
    >with IOS, ASA and SonicOS?


    Hmm, I've probably been pushing Fortigate more often lately, having
    deployed them alot more in the last few years than Juniper firewall
    setups (although I did plenty of those in the past as well, as well as
    PIX deployements). Plenty of Transparent mode setups on either of the
    Juniper or Fortigate setups, although not too many lately.

    The SSG's are all EOL'd, replaced the SRX's, which are vastly
    different boxes. The SSG was just another version of the Netscreen products.
    The SRX is when they converted everything over to JunOSse.

    I don't know of any high-level comparisons without going and getting a
    book for the Juniper/Netscreen ones. There are a few good ones on
    Netscreen Firewalls, but a couple I've read had some good high point
    overviews of Juniper vs. Cisco.

    BUT what I usually go for is going direct to the source documentation,
    which all 3 companies have fully online, open to the public.

    Like any computer documentation, each company has its own "style" and
    layout, and it does take a bit of thinking to get used to their style
    of doing things.

    Ie. if you did want to start with the older, EOL'd SSG boxes, the
    Fundementals of the Netscreen Concepts and Examples manual is where to start.

    http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_fundamentals.pdf

    Just go up one level to the directory URL for the rest of the documentation in
    that series, but the fundementals would be a good start.

    The SRX documentation is here.
    http://www.juniper.net/techpubs/software/junos-srx/junos-srx10.0/index.html

    There's not really a good starting point with the SRX. Having other
    JunOS experience helps alot. I have some M series routers that I
    manage, but not any SRXs...

    FortiNet's documentation starts here.

    http://docs.fortinet.com/fgt.html

    They probably have the most complete WebGUI interface, you can do 99%
    of what you need to totally within the GUI without going to the CLI.
    The Admin guide isn't quite as detailed as others, but should at least
    show you the concepts of what it is capable of. Deeper understanding
    of all only comes after having used them for sometime and deploying
    specific solutions.
    Doug McIntyre, Dec 10, 2009
    #8
  9. Doug McIntyre wrote:
    > alexd <> writes:
    >> I regularly see you recommend Juniper here. Could you suggest an
    >> introductory guide to SSG that would make sense to someone who was familiar
    >> with IOS, ASA and SonicOS?

    >


    > The SSG's are all EOL'd, replaced the SRX's, which are vastly
    > different boxes. The SSG was just another version of the Netscreen products.
    > The SRX is when they converted everything over to JunOSse.



    That's not completely correct. SSG5, 20, 320M/350M/520M and 550M are
    still being sold. Last four (M ones) can be also converted into J-series
    routers and run JUNOS-ES, which would make them SRX-like.

    Best way to approach SRX training (along with EX switches and J-series
    routers) is to sign up for FastTrack program -

    https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

    Regards,
    Andrey.
    Andrey Tarasov, Dec 11, 2009
    #9
  10. RG

    RG Guest

    Is $300 a lot to pay for new 50b?

    Thanks,
    "Doug McIntyre" <> wrote in message
    news:4b1fddca$0$33859$...
    > RG <> writes:
    >>For purposes of transparent firewall, which one would you recommend
    >>more Netscreen/Juniper or FortiGates?

    >
    > I haven't used the new Juniper SRX's, so I can't say how stable they
    > are. With Juniper's reputation, and past experience with the Netscreen
    > and SSG boxes, they should be solid.
    >
    > I've been using FortiGate for all my deployments in the past 3 years.
    > I'd say they are the way to go, very solid and dependable. Huge range
    > of products, so it may be hard to choose what you need, if you are
    > talking about a 501, though, a 50B is plenty for your needs.
    > The bigger ones might be nicer if you need more ports/zones for your
    > network.
    >
    >>I found that cisco pix 501 very descent and solid firewall. It is
    >>highly configurable and doesn't seem to break.
    >>Would you say the same about Netscreen/Juniper or FortiGates when used
    >>in transparent mode?

    >
    > Definately. World apart from Sonicwall and the others in their class.
    > Junpier and Fortinet make good products (like cisco).
    >
    >>Also, is Netscreen/Juniper or FortiGates sip aware?

    >
    > Yep. SIP and H.232 are fully supported. You do have to configure
    > things specificly to recognize these protocols, so make sure to read
    > up on the technotes.
    RG, Dec 13, 2009
    #10
  11. "RG" <> writes:
    >Is $300 a lot to pay for new 50b?


    No, that would be about best street price for the unbundled version
    (ie. doesn't come with the IPS/AV/filtering update & maintenance subscriptions).

    The 50B, unlike the PIX501 can push wirespeed in almost all cases
    (maybe not so much if you turn on tons of webfilter regex's and the like).
    Doug McIntyre, Dec 14, 2009
    #11
  12. RG

    RG Guest

    which version of netscreen would you say is comperable to 501?

    Thanks
    "Doug McIntyre" <> wrote in message
    news:4b1fca37$0$33860$...
    > RG <> writes:
    >> I would like to change the ip address of mail server from internal
    >>ip adress to public ip address.

    >
    > Not on a PIX501 you can't. They are pure NAT boxes, nothing but NAT.
    > Even if you routed down public IPs through them, and put your internal
    > interface on public IPs, they'd still be doing NAT internally.
    >
    >>If I am not mistaken, there is something called "transparent" firewall
    >>configuration where you are doing away with NAT and only do access-
    >>list filtering.

    >
    > The 501 doesn't support transparent mode. The ASA's running new enough
    > code can do Transparent mode, but not the 501. With PCI-DSS requiring
    > NAT mode firewall with private IPs anyway, and in transparent mode you
    > need to have enough public IPs for all your systems, its not too
    > popular of an option. Other boxes do it better, having been around
    > alot longer supporting it, such as the Netscreen/Juniper or FortiGates.
    >
    >>> Is the outside interface of the pix currently running a public address
    >>> or a private address?

    >
    >>The outside interface is running on public address.

    >
    > Which is where it'll have to stay on a 501.
    >
    RG, Dec 25, 2009
    #12
  13. "RG" <> writes:
    >which version of netscreen would you say is comperable to 501?


    The smallest/oldest Netscreen boxes would be a step up over the 501.
    (granted, thats the smallest tiny Cisco PIX model as well).

    The PIX line is fairly underpowered compared to everybody else. Cisco
    rested on not improving it for sometime. The ASAs make up for it somewhat.

    I don't know if you are asking about current models, or old ones you'd
    find on eBay though?

    I'd look for newer boxes compared to older boxes though. Unlike Cisco
    which didn't really do much to make new models in the PIX line,
    Netscreen cycled through 3-4 generations, and Juniper has done 2
    hardware cycles beyond that.

    If you are looking for old used hardware, something like a
    Netscreen 5GT was quite a popular model. 75Mbps throughput, 20Mbps VPN.
    And you'd expect to get 75Mbps throughput, unlike a PIX 501 with its
    rated 60Mbps on a good day. Should be less than $100 used.
    I see some pretty funny fantasy prices on eBay for old gear now-a-days though.
    (yeah, lets see, we'll get new street price for hardware that is 10
    years old, and EOL'd 5 years ago).

    But as a I stated earlier, a Fortigate 50B would do linespeed filtering.
    Doug McIntyre, Dec 25, 2009
    #13
  14. RG

    RG Guest

    So, I bought myself fortigate 50b from on ebay. Little did I know they have
    no password. Would you know hardware resest it?

    Thanks in advance
    "Doug McIntyre" <> wrote in message
    news:4b2177ca$0$47486$...
    > alexd <> writes:
    >>I regularly see you recommend Juniper here. Could you suggest an
    >>introductory guide to SSG that would make sense to someone who was
    >>familiar
    >>with IOS, ASA and SonicOS?

    >
    > Hmm, I've probably been pushing Fortigate more often lately, having
    > deployed them alot more in the last few years than Juniper firewall
    > setups (although I did plenty of those in the past as well, as well as
    > PIX deployements). Plenty of Transparent mode setups on either of the
    > Juniper or Fortigate setups, although not too many lately.
    >
    > The SSG's are all EOL'd, replaced the SRX's, which are vastly
    > different boxes. The SSG was just another version of the Netscreen
    > products.
    > The SRX is when they converted everything over to JunOSse.
    >
    > I don't know of any high-level comparisons without going and getting a
    > book for the Juniper/Netscreen ones. There are a few good ones on
    > Netscreen Firewalls, but a couple I've read had some good high point
    > overviews of Juniper vs. Cisco.
    >
    > BUT what I usually go for is going direct to the source documentation,
    > which all 3 companies have fully online, open to the public.
    >
    > Like any computer documentation, each company has its own "style" and
    > layout, and it does take a bit of thinking to get used to their style
    > of doing things.
    >
    > Ie. if you did want to start with the older, EOL'd SSG boxes, the
    > Fundementals of the Netscreen Concepts and Examples manual is where to
    > start.
    >
    > http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_fundamentals.pdf
    >
    > Just go up one level to the directory URL for the rest of the
    > documentation in
    > that series, but the fundementals would be a good start.
    >
    > The SRX documentation is here.
    > http://www.juniper.net/techpubs/software/junos-srx/junos-srx10.0/index.html
    >
    > There's not really a good starting point with the SRX. Having other
    > JunOS experience helps alot. I have some M series routers that I
    > manage, but not any SRXs...
    >
    > FortiNet's documentation starts here.
    >
    > http://docs.fortinet.com/fgt.html
    >
    > They probably have the most complete WebGUI interface, you can do 99%
    > of what you need to totally within the GUI without going to the CLI.
    > The Admin guide isn't quite as detailed as others, but should at least
    > show you the concepts of what it is capable of. Deeper understanding
    > of all only comes after having used them for sometime and deploying
    > specific solutions.
    RG, Feb 9, 2010
    #14
  15. "RG" <> writes:
    >So, I bought myself fortigate 50b from on ebay. Little did I know they have
    >no password. Would you know hardware resest it?


    To password recovery a Fortinet, console in (uses same pinout as
    Cisco, Juniper, Sun, etc).

    Login as 'maintainer'. Password of 'bcpb' followed by the full serial
    # of the box, matching case (ie. FGT in upper case, and any hardware
    rev letter)

    And then to make sure the config is totally cleared out

    execute factoryreset

    from the CLI.
    Doug McIntyre, Feb 9, 2010
    #15
  16. RG

    RG Guest

    Thanks for your time.

    I am at a loss.

    This is what I have done...

    1. I connected dc9pin to my computer and rj45 end to fortigate
    2. Through termina session I got user name prompt
    3. I entered maintainer for user name.
    4. I entered bcpbFGT50B3G07518259 for password
    5. The response was it didn't like the credentials.

    Perhaps you can see a problem with a password or username.


    "Doug McIntyre" <> wrote in message
    news:4b70eb60$0$33859$...
    > "RG" <> writes:
    >>So, I bought myself fortigate 50b from on ebay. Little did I know they
    >>have
    >>no password. Would you know hardware resest it?

    >
    > To password recovery a Fortinet, console in (uses same pinout as
    > Cisco, Juniper, Sun, etc).
    >
    > Login as 'maintainer'. Password of 'bcpb' followed by the full serial
    > # of the box, matching case (ie. FGT in upper case, and any hardware
    > rev letter)
    >
    > And then to make sure the config is totally cleared out
    >
    > execute factoryreset
    >
    > from the CLI.
    >
    >
    RG, Feb 9, 2010
    #16
  17. "RG" <> writes:
    >Thanks for your time.


    >I am at a loss.


    >This is what I have done...


    >1. I connected dc9pin to my computer and rj45 end to fortigate
    >2. Through termina session I got user name prompt
    >3. I entered maintainer for user name.
    >4. I entered bcpbFGT50B3G07518259 for password
    >5. The response was it didn't like the credentials.


    >Perhaps you can see a problem with a password or username.



    That should do it.

    There is a timelimit, maybe make sure to have the password in the
    paste buffer ready to send in?

    Otherwise, make sure you don't typo it, sometimes delete/backspace
    messes up things even if the characters get rubbed out on the screen.
    Doug McIntyre, Feb 9, 2010
    #17
  18. RG

    RG Guest

    k.. Now it worked for me. I don't know why I had to reboot the device while
    in session and it worked for me. Thanks for the help.


    "Doug McIntyre" <> wrote in message
    news:4b7108b1$0$637$...
    > "RG" <> writes:
    >>Thanks for your time.

    >
    >>I am at a loss.

    >
    >>This is what I have done...

    >
    >>1. I connected dc9pin to my computer and rj45 end to fortigate
    >>2. Through termina session I got user name prompt
    >>3. I entered maintainer for user name.
    >>4. I entered bcpbFGT50B3G07518259 for password
    >>5. The response was it didn't like the credentials.

    >
    >>Perhaps you can see a problem with a password or username.

    >
    >
    > That should do it.
    >
    > There is a timelimit, maybe make sure to have the password in the
    > paste buffer ready to send in?
    >
    > Otherwise, make sure you don't typo it, sometimes delete/backspace
    > messes up things even if the characters get rubbed out on the screen.
    >
    RG, Feb 9, 2010
    #18
  19. RG

    RG Guest

    This fortigate is pretty impressive. It looks like it is much better put
    together than pix.

    "Doug McIntyre" <> wrote in message
    news:4b1fddca$0$33859$...
    > RG <> writes:
    >>For purposes of transparent firewall, which one would you recommend
    >>more Netscreen/Juniper or FortiGates?

    >
    > I haven't used the new Juniper SRX's, so I can't say how stable they
    > are. With Juniper's reputation, and past experience with the Netscreen
    > and SSG boxes, they should be solid.
    >
    > I've been using FortiGate for all my deployments in the past 3 years.
    > I'd say they are the way to go, very solid and dependable. Huge range
    > of products, so it may be hard to choose what you need, if you are
    > talking about a 501, though, a 50B is plenty for your needs.
    > The bigger ones might be nicer if you need more ports/zones for your
    > network.
    >
    >>I found that cisco pix 501 very descent and solid firewall. It is
    >>highly configurable and doesn't seem to break.
    >>Would you say the same about Netscreen/Juniper or FortiGates when used
    >>in transparent mode?

    >
    > Definately. World apart from Sonicwall and the others in their class.
    > Junpier and Fortinet make good products (like cisco).
    >
    >>Also, is Netscreen/Juniper or FortiGates sip aware?

    >
    > Yep. SIP and H.232 are fully supported. You do have to configure
    > things specificly to recognize these protocols, so make sure to read
    > up on the technotes.
    RG, Feb 10, 2010
    #19
  20. "RG" <> writes:
    >This fortigate is pretty impressive. It looks like it is much better put
    >together than pix.


    Yep, pretty nice overall I think.

    I like that they support a huge range of features, the GUI is quite
    usable on every desktop, only having to bop out to the CLI for a few
    advanced things, they don't have licensing limitations (although you
    have to subcribe to AV definition updates, but they are all like
    that), and are rock solid. Code updates seem to be only for new
    features and minor bug fixes than any security issues. They support
    pretty much wirespeed for most setups.

    I'm going through my list of managed boxes to find the longest uptime.
    Hmm, I think the uptime counters roll after a time, but the system log
    messages so only two reboots in 5 years on one of my oldest boxes.
    Doug McIntyre, Feb 10, 2010
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    583
    Richard
    Nov 15, 2003
  2. zher
    Replies:
    2
    Views:
    8,858
  3. joeblow
    Replies:
    3
    Views:
    1,205
    Philip D'Ath
    Mar 14, 2005
  4. Sied@r
    Replies:
    3
    Views:
    8,388
    Sied@r
    Oct 20, 2005
  5. ra170
    Replies:
    1
    Views:
    982
    ra170
    Nov 22, 2010
Loading...

Share This Page