In article , Marv wrote: |>In article , |>Marv wrote: |>:if there is a way to configure the Pix just as an ipsec endpoint |>:without all traffic passing through it? Could just one ethernet port |>:be used with an internal IP address?
|Do I need to connect both ports of the Pix to an internal switch? Or |can I just connect one with an internal IP address?
"Both ports" would tend to imply that you have a PIX 506 or 506E, as the other models either have more ports or are able to have more ports.
You reference to IPSec implies you are running PIX 6 -- PIX 5 used a proprietary Private Link protocol. And that in turn implies that you are not running a PIX 510 or PIX Classic -- but that you are running a 500 series PIX.
If you are using any of the 500 series PIX models that support PIX 6,
*other than* the PIX 501, then if you run a new enough PIX 6.3 version, you can get away with using just one physical port, provided that that one port can be connected through an 802.1Q trunk to a router. In such a situation, you can create "logical interfaces" on your PIX, each of which corresponds to a VLAN (with the base physical interface corresponding to the untagged native VLAN.)
If you cannot or would prefer not to go the logical interface route, then unless you upgrade to PIX 7.0 (not available on the 501 or
506/506E or 520), you will need to connect both the inside and outside interfaces to something.
Note: I may have misunderstood your phrase "without all the traffic passing through it." The PIX is not able to just decapsulate packets and return them out the same physical interface: traffic to the PIX always goes through the usual logic sequence. PIX 6 with logical interfaces still has all of the Security Level, no traffic- bouncing logic. PIX 7 allows a number of these restrictions to be overridden -- for example, PIX 7 allows "transparent" firewalling with the inside and outside being in the same IP address space.