Secure a wireless LAN with a PIX 501?

Discussion in 'Cisco' started by adam.jacobs, Mar 11, 2006.

  1. adam.jacobs

    adam.jacobs Guest

    Hi there,

    Being the paranoid IT person I am (i.e. understanding how easy it is to
    rip down the security in wireless encryption) I want to create an
    additional network we'll call this "insecure" and give this access to
    the internet via my Cisco PIX 501. However I do not want this network
    to have access to my wired LAN we'll call this "secure".

    I am using a Netgear router for my wireless access and so far I have
    done the following:

    ----------- -----------
    | www | - | pix 501 | -----|
    ----------- ------------ |- (Secure LAN)
    |- (Insecure LAN)

    | Netgear | WAN - (Insecure LAN)
    ------------- LAN -

    My question therefore is how can I isolate communication between the
    insecure and secure network? Just allowing clients to
    access the internet i.e. the pix interface only?

    Your help would be greatly appreciated!

    Many thanks,

    adam.jacobs, Mar 11, 2006
    1. Advertisements

  2. Your diagram shows both networks as being on the same side of
    the PIX 501. In that situation, you cannot prevent the two
    networks from communicating, not unless you can put restrictions
    on the gateway between them (the netgear in your case.)

    I gather that 'www' represents the Internet in the diagram.

    If someone in the wireless LAN addresses a packet to 192.168.10.*
    then the Netgear is going to see that network in its routing table,
    and will ARP on the outside interface for the target address.
    That ARP *will* get through to the target IP: although you have
    the Netgear plugged in to the 501, the four LAN ports on the 501
    act as a switch, especially as it is the same subnet being requested.

    But in your configuration, you cannot use different subnets for the
    two LANs, because although you can add a 'route inside' on the PIX
    for the second subnet, the PIX needs to be able to ARP the
    destination, and the ARP would not be listened to by the Netgear
    if the Netgear is in a different subnet. You could -try- setting
    the next-hop address to be the interface itself: the ARP might then
    go out "raw" onto the switchports, and the Netgear -might-
    pay attention to it (depends on the IP stack.)

    It is not possible to configure the PIX 501 to filter packets
    between the four switch ports.

    Does your Netgear router happen to be one of the ones that is Linux
    Walter Roberson, Mar 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.