Hello,
Because of the way our Quest PRN network is setup and the fact that there is already a firewall in place on Quest's side, I was wondering if there is a way to configure the Pix just as an ipsec endpoint without all traffic passing through it? Could just one ethernet port be used with an internal IP address?
Thanks.
In article , Marv wrote: :Because of the way our Quest PRN network is setup and the fact that :there is already a firewall in place on Quest's side, I was wondering :if there is a way to configure the Pix just as an ipsec endpoint :without all traffic passing through it? Could just one ethernet port :be used with an internal IP address?
Yes, as long as the outer firewall allows the necessary ports or protocols through. See
Thanks for the resonse.
Allowing the ports inbound will not be a problem.
Do I need to connect both ports of the Pix to an internal switch? Or can I just connect one with an internal IP address?
Thanks.
In article , Marv wrote: |>In article , |>Marv wrote: |>:if there is a way to configure the Pix just as an ipsec endpoint |>:without all traffic passing through it? Could just one ethernet port |>:be used with an internal IP address?
|Do I need to connect both ports of the Pix to an internal switch? Or |can I just connect one with an internal IP address?
"Both ports" would tend to imply that you have a PIX 506 or 506E, as the other models either have more ports or are able to have more ports.
You reference to IPSec implies you are running PIX 6 -- PIX 5 used a proprietary Private Link protocol. And that in turn implies that you are not running a PIX 510 or PIX Classic -- but that you are running a 500 series PIX.
If you are using any of the 500 series PIX models that support PIX 6,
*other than* the PIX 501, then if you run a new enough PIX 6.3 version, you can get away with using just one physical port, provided that that one port can be connected through an 802.1Q trunk to a router. In such a situation, you can create "logical interfaces" on your PIX, each of which corresponds to a VLAN (with the base physical interface corresponding to the untagged native VLAN.)If you cannot or would prefer not to go the logical interface route, then unless you upgrade to PIX 7.0 (not available on the 501 or
506/506E or 520), you will need to connect both the inside and outside interfaces to something.Note: I may have misunderstood your phrase "without all the traffic passing through it." The PIX is not able to just decapsulate packets and return them out the same physical interface: traffic to the PIX always goes through the usual logic sequence. PIX 6 with logical interfaces still has all of the Security Level, no traffic- bouncing logic. PIX 7 allows a number of these restrictions to be overridden -- for example, PIX 7 allows "transparent" firewalling with the inside and outside being in the same IP address space.
The model I will be using is a Pix 501, so I'm assuming I will have to connect both interfaces to the same switch?
The current gateway at the location is a Quest managed Cisco 1720. The internal interface on the 1720 is 192.168.0.1.
What would be the best approach in this scenario?
Thanks.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.