Implementing a PIX in a VLAN scenario

Home Forums Networking Cisco Routers & Switches How-to Implementing a PIX in a VLAN scenario

This topic contains 4 replies, has 4 voices, and was last updated by  bdesmond-mvp 11 years, 10 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts

  • ryancole
    Member
    #118415

    Hi,

    I wonder if someone can help me come up with a solution that I have been trying to figure out for a while now. In a few days time I am going to have access to my own dedicated full rack in a datacenter near me. I currently have collocated servers but I do not manage any of the routing/IP address/VLAN, that is all done by another company that owns a number of racks in the same datacenter.

    Basically my goal when I have the rack is to have multiple VLANs, routed by a 2621 series router with each individual VLAN is firewalled by a PIX 515. I also have a 2950 for switching.

    I have set up a few lab scenarios in my workshop and have been able to set up the router and switch to route between the VLANs and understand and can program this as I require.

    Where I am stuck now is how to now ‘add’ the PIX to the scenario. Does it come before the router? Does it come between the router and the switch? My guess is that the hardware is arranged in the following order,

    FIREWALL
    |
    |
    ROUTER
    |
    |
    SWITCH

    If this is correct how do I need program the PIX to firewall each individual VLAN?

    I understand that this is a big question without a yes/no answer. If anyone can help point me in the right direction to solving this situation it would be most appreciated. My Cisco, Networking and IP addressing knowledge is good so feel free to post any configs or anything else that will make the question easier to answer,

    Many thanks


    ahmer_sahab
    Member
    #286025

    Re: Implementing a PIX in a VLAN scenario

    well you can arrange in many ways you like
    what I recomend you use this way

    Router
    |
    |
    Firewall


    Internet
    |
    |
    Switch


    theterranaut
    Member
    #285851

    Re: Implementing a PIX in a VLAN scenario

    Hi Ryan,

    when you say that each vlan will be firewalled by a PIX, do you mean a separate PIX? Or is this going to be a single unit? Perhaps
    a better question to ask is: what do you want to achieve in terms of
    traffic separation? Eg, would you want server1 on vlan1 to be able to
    talk smtp to server2, vlan2, etc etc…?

    Bear in mind that a PIX (later versions of FOS) will run vlans on an interface,
    (negating the need for a router)-which it still views as a logical interface, and you can then create the rules that govern traffic between them. As I think I noted to an
    earlier poster, you are then restricted by the 100Mb TCP throughout of the 515.
    Might be enough?

    regards,
    theterranaut


    bdesmond-mvp
    Member
    #291249

    Re: Implementing a PIX in a VLAN scenario

    Presumably you’ve got Pix OS 7.X on the pix or else this stuff won’t help.

    You want either the router or the pix here – not both. Trunk the port to the pix on the 2950:

    int fa0/1
    descr to pix e1
    sw mode trunk
    sw trunk allowed vlan 2,3,4
    speed 100
    duplex full
    no shut

    then on the pix subinterface your e1 interface:

    interface Ethernet1
    speed 100
    duplex full
    no nameif
    security-level 0
    no ip address
    !
    interface Ethernet1.2
    description vlan2
    vlan 2
    nameif Inside
    security-level 100
    ip address 10.1.2.1 255.255.255.0
    !
    interface Ethernet1.3
    description vlan3
    vlan 3
    nameif vlan3
    security-level 30
    ip address 10.1.3.1 255.255.255.0
    !
    interface Ethernet1.4
    description vlan4
    vlan 4
    nameif vlan4
    security-level 40
    ip address 10.1.4.1 255.255.255.0

    Make your e0 the Internet connection:

    interface Ethernet0
    description internet
    nameif Outside
    security-level 0
    ip address 4.4.4.3 255.255.255.252

    Something like that should work. If you’ve got multiple internet connections the 2600 in front of the pix running bgp will be helpful.


    ryancole
    Member
    #290265

    Re: Implementing a PIX in a VLAN scenario

    Brian,

    thanks for your reply, this makes perfect sense. if only i could have worked this out myself!

    what i have done is run the feed from the datacenter into my switch and then run one switchport into the cisco router and then another port into the PIX. this way i can now have 2 separate VLANs on the switch, one firewalled and the other not.

    thanks again

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.