A Tale of Two PIXes

Alright, I will lay this out as clearly as possible. Currently, we have a T1 at our main location, and it is connected to a 2600 router. That router is connected to a PIX 515 that has a DMZ off of one interface. From the inside interface, the PIX attaches to out 6509 switch. The 6509 is really the workhourse of our network, and perform routing, as we have about 15 other switches off of it, and VLANs.

At our COLO facility, we have a 10MB ethernet handoff for Internet access (it is throttled to 4MB, however). This is attached to a PIX

515E, and there is no DMZ. The inside interface attaches to an HP switch. In order to link our COLO to our main site, we have a 100MB ethernet handoff to the HP switch, and at the other end, another 100MB ethernet handoff to our 6509. Instead of just using it as a flat ethernet network, we have isolated that 100MB link with VLANs, but it is not trunking (for instance, there are no VLANs shared accross the 100MB link).

So, the intent is to start using the 4MB link for all of Internet traffic, as our T1 is getting maxed out at peak hours. Later, we may try to utilize both. But to start out, we got all devices at the COLO working through the 4MB connection. These devices could also communicate with all the devices on our main site, all VLANs, including the DMZ devices.

We configured the PIX 515E with static mappings for all resources that the PIX 515 was providing, but obviously, with new IPs, as it is a different block. I tested the PIX 515E to make sure it was forwarding traffic. This worked well. So, the plan was to change the default route on the 6509 from pointing to the PIX 515, and have it point to the HP Switch at the COLO. Then, we would change the PIX 515 default route from the 2600 to the 6509. Given that the inside interface of the PIX has a higher security level than the DMZ interface, I figured this would allow the traffic to pass just fine.

Showtime. I get in early and change the default route on the 6509. Devices on the inside are not working. It turns out, NAT was not established on the PIX 515E. No big deal to fix. Besides, all devices on the main network that had static mappings worked, and we could gain access to them from the outside with the new IPs from the 4MB link. So that all seems fine. However, no devices on the DMZ were accessible. Again, this DMZ is on the far side of the equation, and is not really setup as a DMZ, but that is not something that can be addressed at this time.

The crux of the issue is, I need for the resources in the DMZ on the PIX 515 to be accessible from the Internet connection that is across out "etherne MAN" and connected by the PIX 515E. The routing seems to work fine for everything else, so I am not sure that is an issue. The rules in the PIX also seem fine. Is it possible to A) have the default route of the PIX 515 go through the inside interface (I can not see why not), and B) to have the DMZ accessible via the inside interface (again, I can not see why not). I guess I am really just asking some opinions of what may be limiting those resources. I am having a mental block. The rules ACLs seem fine on the PIX 515E, and surely traffic can traverse easily from a security100 interface to a security10 interface. I know that I can get from the PIX 515E at the COLO network to the DMZ devices.

Here is an ASCII diagram (better with fixed font):

_______________ _/ \\_ __/ \\__ / \\ | Internet | | | \\__ __/ \\_ _/ \\_______________/ / \\ / \\ / \\ /_ _\\ / \\ A / \\ B ____/____ ___\\____ |__2600___| |__PIX___| ____|____ Inside ___|_____ Inside |___PIX___|--- |HP_Switch| DMZ |_C_____ | D E | |Cisco_Switch| | | _|____________|_ | | | | | | | 6509 | | | | | |________________|

Reply to
Dustin
Loading thread data ...

I suspect your problems are a natural side effect of the rules set up originally for outside access to your DMZ. As originally configured (before adding the link to your COLO), the only traffic which should be alllowed into the DMZ from the inside interface should be from inside IP addresses. Any other source addresses would be spoofed and should be rejected.

If I were you (and I'm not, and this is free advice so you can take it for what you paid for it), Most COLO facilities I've worked with are logically outside and DMZ, not outside and inside (despite what the ports are labeled). I would drop back five and reevaluate exactly what I am trying to accomplish. Taking a piecemeal, hack at a time approach to firewall setup is virtually guaranteed to introduce flaws in the protection provided. Define your security policies (what access is allowed from inside to outside, outside to inside, outside to DMZ, DMZ to inside, etc.) and look at where the firewalls belong and where the interconnects belong.

Only you can determine the proper tradeoffs between security and performance and cost (hint, you only get to choose two out of three), so take any blanket recommendations you get with a grain of salt, including this one.

Good luck and have fun!

Reply to
Vincent C Jones

You need active-active failover to enable asr-routing.

Reply to
Lutz Donnerhacke

That is not exactly what I am looking to do, but thanks. We will probably consider at a later time.

Reply to
Dustin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.