PIX and DMZ

- M
- Munpe Q
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Tue, Feb 22, 2005 5:22 PM

The fact that you are using a PIX is a good start.

- T
- Tomi
  
  Contact options for registered users
posted
19 years ago

Tue, Feb 22, 2005 7:24 PM

I use PIX 515e and try configre something like this:

LAN ---- PIX -------- CISCO_ROUTER ----(internet) | dmz WEB_SERWER (local ip 192.168.101.2) (public ip *.*.*.167 )

I made a mistake ,and I can't connect to public ip in WEB_SERWER *.*.*.167 from lan and from internet.

nameif ethernet0 WAN security0 nameif ethernet1 LAN security99 nameif ethernet2 DMZ security50 access-list outside_in permit tcp any host *.*.*.167 eq www access-list outside_in permit icmp any any ip address WAN *.*.*.166 255.255.255.224 ip address LAN 192.168.0.165 255.255.255.0 ip address DMZ 192.168.101.1 255.255.255.252 global (DMZ) 1 *.*.*.168 netmask 255.255.255.224 nat (LAN) 1 192.168.0.0 255.255.255.0 0 0 alias (LAN) *.*.*.167 192.168.101.2 255.255.255.255 static (DMZ,WAN) *.*.*.167 192.168.101.2 netmask 255.255.255.255 0 0 access-group outside_in in interface WAN route WAN 0.0.0.0 0.0.0.0 *.*.*.169 1

what is it wrong ?

- M
- Munpe Q
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Wed, Feb 23, 2005 12:13 PM

Actually, and it didn't come across when I posted, I'd rather see a PIX as a door stop than a freakin' firewall. It amazes me how many people don't perform due diligence when implementing a firewall solution and automagically pimp out Cisco and then wonder why they have non-stop difficulty implementing them. Security has to be strong but doesn't need to impossible to implement.

So to Tomi, take that thing and use it to prop up your monitor or something.

- A
- Arthur Hagen
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Wed, Feb 23, 2005 1:54 PM

Swearing by Cisco may be well and fine, but PIX isn't an in-house Cisco product; it was originally made and sold by another company that Cisco bought. Its core design still betrays its non-Cisco origins.

Regards,

- K
- K
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Wed, Feb 23, 2005 4:56 PM

You are not trying to suggest a better piece of kit than the PIX are you? I swear by Cisco kit.

- K
- kamalarora10
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Thu, Feb 24, 2005 7:42 PM

- K
- kamalarora10
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Thu, Feb 24, 2005 7:42 PM

- K
- kamalarora10
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Thu, Feb 24, 2005 7:43 PM

The config is good on PIX...check wether do u have the ports open on ur router... Rgds,

Kamal

- K
- kamalarora10
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Thu, Feb 24, 2005 7:43 PM

The config is good on PIX...check wether do u have the ports open on ur router... Rgds,

Kamal

- M
- Mark S
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Thu, Feb 24, 2005 10:05 PM

Take a look around, look at DI on Netscreen, and IDS on a Sonicwall, even better, get a demo of them in action. You'll never look at a PIX again. PIX performance, functionality, and security levels a crap for todays market. A PIX501 for example is nothing better than your average crappy off the shelf SPI Firewal//Router that sells for $30.