Two firewall on same subnet/switch

Discussion in 'Cisco' started by Paul, Oct 13, 2004.

  1. Paul

    Paul Guest

    I have a fiber connection that terminates on a Cisco 3550 switch and
    from there I need to figure out how to connect two seperate Cisco 515e
    firewalls to the Internet connection. The issue is each 515e will
    protect seperate networks owned by different companies.

    Overview:
    The ISP hosts the router interface off-site and the fiber connection
    is terminated by the ISP on a Cisco 3550 Switch at our location.(Fiber
    to ethernet) We have a block of Public IPS that must be shared between
    the two organizations but neither organization wants to be behind the
    others firewall so we come to a situation that both 515e firewalls
    would have their public "outside" interface on the same subnet plugged
    into the same switch. Would this work? Would I need to place a three
    port router(like a Cisco 2500) between the ISP switch (internet),
    firewall one, and firewall two, or Could two Cisco Firewalls exist
    externally on the same subnet and function correctly to protect
    completely seperate networks behind them. Each organization has its
    own email system behind the firewall also. So there will be some
    traffic moving in and out of both networks. I know the correct thing
    would be to place a router but the budget is really really tight and
    that is the main reason they are sharing the internet connection.
    Thanks for advice.
     
    Paul, Oct 13, 2004
    #1
    1. Advertisements

  2. :The ISP hosts the router interface off-site and the fiber connection
    :is terminated by the ISP on a Cisco 3550 Switch at our location.(Fiber
    :to ethernet) We have a block of Public IPS that must be shared between
    :the two organizations but neither organization wants to be behind the
    :eek:thers firewall so we come to a situation that both 515e firewalls
    :would have their public "outside" interface on the same subnet plugged
    :into the same switch. Would this work?

    This is not a problem if you can rely on proxy-arp, but if for some
    reason you cannot use proxy-arp then you are going to run into
    some difficulties.

    :Would I need to place a three
    :port router(like a Cisco 2500) between the ISP switch (internet),
    :firewall one, and firewall two, or Could two Cisco Firewalls exist
    :externally on the same subnet and function correctly to protect
    :completely seperate networks behind them.

    If you can use proxy-arp then no problem: the two PIXes will respond
    on behalf of the IP's that are static'd or nat'd for that particular
    PIX and will ignore the packets in the same subnet that are not
    routed to the PIX.

    If you cannot use proxy arp, then you would probably need a small
    router; if the address allocation between the two organizations is such
    that you can subnet and route the subnets to the appropriate pix, then
    it's still fairly simple (if you have the router.) If you cannot use
    proxy arp and the addresses do not divide cleanly, then you could
    use policy based routing if the router happened to support that, but
    you could also just toss a set of static host routes on the router
    that routed each IP to the appropriate PIX that will handle it.


    :Each organization has its
    :eek:wn email system behind the firewall also. So there will be some
    :traffic moving in and out of both networks.

    Is there traffic -between- the two organizations, that would have to
    go out one pix and into the other pix? Such as if one organization
    emailed to the other? If there is such traffic, then that has to be
    taken into account in the configuration. If each side is using
    RFC1918 private addressing internally and are not using the -same-
    private address ranges, then there should not be any problem with
    traffic between the two sites. If, though, either or both sites
    want to use their public IPs internally, or somehow the two sites
    end up using the same private IP range, then configuring for traffic
    between the two sites gets more esoteric. On the other hand, because
    the PIX does not allow the inside and outside interfaces to be in the
    same subnet, then if the two organizations want to use public IPs
    internally then you would need to either use an outside router [that
    used private IP space to communicate with the PIXes, with the PIX
    set to use the private IP space on its outside interface] or else you need
    to use a router inside each of the LANs that wants to use public
    addresses internally.

    :I know the correct thing
    :would be to place a router but the budget is really really tight and
    :that is the main reason they are sharing the internet connection.

    You mention that you have fibre, but you didn't happen to mention the
    nominal bandwidth of the fibre. If the fibre is running in the range
    of 1-3 megabits per second full duplex, then you could very likely get a
    very inexpensive router such as from Linksys, D-Link, or Netgear
    and have it handle the load. If, though, you are into the 5-10 megabits
    per second range, then you would want to check the pps (packets per
    second) rating on the low end routers, as they would not necessarily
    be able to sustain ~10 megabits/s full duplex in the worst case scenario.
    [For example, the Cisco 17xx router series cannot; the 2621 and 26xxXM
    models can, but even the 3660 (highest model in the 16xx/17xx/26xx/36xx
    line) cannot sustain 100 megabits/s full duplex in the worst case scenario.]
     
    Walter Roberson, Oct 13, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.