Can I use a Cisco PIX501 and 2610 for multiple DMZ's (No PIX515)

By AlexMTech ·
I have a question about how I should setup/configure the following scenerio. I have a small office with a cable connection using a single public IP address. This would be easy if I had a Cisco PIX 515 with a few DMZ ports but at the moment that is not an option. Behind the internet connection I need to have (4) seperate networks for the following: (1) Inside LAN, (2) Wireless LAN, (3) LAB Environment, (4) Web/Email Server. I want to allow VPN access from outside that would give certain people access to the Inside LAN and/or the Lab Environment. I need to setup a wireless network that would provide only
access to the internet and nothing else. And I need the Web/Email server to be available on the web for their respective services etc.

Currently I have a PIX 501 in place that sits between the internet and the Inside LAN. I have it configured to accept VPN remote access to the Inside LAN. The Web/Email Server is currently not available from the outside of the firewall (unless you VPN in), only the Inside LAN can access them. The wireless network is not set up. The Lab Environment is also in place but is currently accessible through a Cisco 2511 (interface currently on Inside LAN) that has been setup as a terminal server connected to the other devices.

I was hoping someone can tell me if this is possible using a PIX 501, Catalyst 2950 Layer 2 48-port switch and a Cisco 2610 with the NM-4E (4 port ethernet network module). My thought was something like this:

(Inside VLAN)
(Lab Environment)
Modem 501 2610 |
(Web/Mail Server)
(Wireless Internet)

The Cisco 2610's single onboard ethernet interface would connect to the "Inside" PIX interface. The 4 port ethernet network module would give me the E1 - E4 interfaces on the
router. Each of these interfaces would be connected to a seperate block of ports on the 48 port switch that will be split into different VLAN's. The Cisco 2610 would also have an IOS image proving an IOS firewall feature set which would protect traffic between the VLAN's since the router will be routing the traffic between them. Remote clients would be able to VPN into the PIX and based on their credentials they would gain access to one or more of the VLAN's. Since I didn't get to choose the original equipment I guess what I am trying to do here is use the router and switch to create separate DMZ's similar to a PIX 515. Since the PIX 515 is way out of the budget I am hoping this will work.

Can anyone confirm wether or not this will work. Comments and suggestions are welcomed.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Yes, that would work

by djdawson In reply to Can I use a Cisco PIX501 ...

You could certainly do that, but if you have the firewall
feature in the router you don't really need the PIX at all,
since you could do everything in the router. The IOS
firewall feature *is* a real firewall, though it won't have
the performance of a PIX (even a 501). However, since
you'd be using the router firewall feature anyway, that's a

This config would be a bit complex, but only because of
the number of different interfaces involved. If you have
"SDM" in the router (the Java-based GUI management
interface in the newer routers), you could use that to build
your firewall policies, though I prefer a manual approach
since SDM sometimes does some unusual things (the
2610 might be too old or not have enough flash to run

The key with IOS firewall (Cisco calls it "CBAC") is to
remember that you need to "inspect" the first packet of
any session you want the firewall to filter in a stateful way,
and that you use access-lists to implement your security
policy. In effect, the inspect feature is like a really smart
"established' keyword from the access-list syntax. I find
it easier to develop a security policy on a interface-pair
basis. For example, figure out what traffic is required in
both directions for every possible pair of interfaces. If
you'll only be using traffic that CBAC supports and can
track the state of then you only need to consider the first
packet of each session, since CBAC will recognize the
return traffic and permit it. With five different interfaces
this will be quite a list of interface pairs, but my guess is
some of those pairs won't have any traffic between them,
which will make things a bit easier (but it'll still not be a
pushover config).

HTH - Good luck!!!


Related Discussions

Related Forums