topic Re: Getting Started with PIX 506 in Network Security

Getting Started with PIX 506

srberg5219 — Mon, 11 Mar 2019 09:50:05 GMT

First of all, thank you for remembering when you first started with PIX appliances...

I recently purchased a pre-owned PIX 506 running software version 5.1(2). I am currently unable to upgrade this software since I do not have the apprpriate 'service contract', so I am stuck with this software version.

Although I did receive the manual 'Configuration Guide for the Cisco PIX Firewall Version 5.1', I am a bit lost with this firewall.

My network:

ADSL Router (ISP Provided) =>PIX=>Switch=>Network

Subnet: 192.168.254.0/24

Netmask: 255.255.255.0

Static External IP assigned by ISP:74.41.202.106

Questions:

1) The 'inside' interface should be a LAN assigned IP? (Ex. 192.168.254.3)

2) What should the 'outside' interface be set to?

Re: Getting Started with PIX 506

vitripat — Wed, 21 Mar 2007 15:34:34 GMT

Questions:

1) The 'inside' interface should be a LAN assigned IP? (Ex. 192.168.254.3)

- Yes, inside interface should be in 192.168.254.0/24 subnet. You can choose any free IP and make it as the gateway for the internal network.

2) What should the 'outside' interface be set to?

- "Static External IP assigned by ISP:74.41.202.106", as this is the IP given to you by your ISP, this should be on the outside interface of PIX. However, they must have also provided the subnet mask and the gateway IP. Please use the subnet mask while configuring IP address on outside interface, and use the gateway_IP as such:

route outside 0 0 gateway_ip

With this command in, PIX will know where to route traffic for internet.

Hope that helps.

Regards,

Vibhor.

Re: Getting Started with PIX 506

huynhkhay — Wed, 21 Mar 2007 15:36:08 GMT

Hi,

1) correct

2) If 74.41.202.106 is the ADSL router address, you should set the "outside" interface to an address in the same subnet of your ADSL Router. And your default gateway on your PIX will be the ADSL Router.

Hope it helps

Re: Getting Started with PIX 506

srberg5219 — Wed, 21 Mar 2007 16:10:44 GMT

Here is my subnet structure:

Router LAN IP: 192.168.254.1

* 74.41.202.106 IP is the static IP I lease from my ISP for access to my web servers/email servers FROM the internet.

So I should set the following:

1) Inside Interface IP: 192.168.254.2

2) Outside Interface IP: 192.168.254.3

3) PIX Gateway IP:192.168.254.1 (since this is the LAN IP of the router)

My gartitude ahead of time...

Re: Getting Started with PIX 506

vitripat — Wed, 21 Mar 2007 16:20:34 GMT

So I should set the following:

1) Inside Interface IP: 192.168.254.2

- Yes.

2) Outside Interface IP: 192.168.254.3

- No. The outside interface and inside interface cannot be in same subnet. You should use 74.41.202.106 on the outside interface of PIX and connect the outside interface to the ADSL modem.

3) PIX Gateway IP:192.168.254.1 (since this is the LAN IP of the router)

- Not sure where is this router placed. Is your ISP terminating currently on this router? What type of connection do you have .. PPPoE/PPPoA/DSL etc?

Also, it seems that you already have a network setup with ISP terminating on the router and internal network connected to the 192.168.254.1 interface. Now you are trying to place a PIX in between. Let me know if this is the situation.

Regards,

Vibhor.

Re: Getting Started with PIX 506

acomiskey — Wed, 21 Mar 2007 16:23:01 GMT

diagram is in his first post. it appears to be adsl router not modem. I assume 74.41.202.106 is the address on outside of router so he cannot make this pix outside.

Re: Getting Started with PIX 506

srberg5219 — Wed, 21 Mar 2007 16:29:41 GMT

This firewall is being integrated into an existing network where the router's IP (192.168.254.1) was set as the 'Default Gateway' on workstations and servers (Windows based) and as the 'forwarding' address in Windows DNS.

Physically, here is my layout before PIX:

===Internet===

===Router=== (LAN IP of 192.168.254.1)

===Switch=== (unmanaged)

===Network=== (Web/Email servers-IPs set)

I am placing my PIX AFTER the router:

===Internet===

===Router=== (LAN IP of 192.168.254.1)

===PIX 506===

===Switch=== (unmanaged)

===Network=== (Web/Email servers-IPs set)

**Connection type is PPPoA

Re: Getting Started with PIX 506

srberg5219 — Wed, 21 Mar 2007 16:30:31 GMT

acomiskey is correct...

Re: Getting Started with PIX 506

vitripat — Wed, 21 Mar 2007 16:36:20 GMT

Thanks for the updates. However, in this scenario, we will have some major changes ..

As I mentioned earlier, outside and inside interfaces of PIX cannot be in same subnet, thus, if we place PIX in between, we will have to change the network addressing on whole internal network.

LAN IP of router will remain 192.168.254.1, which will also be the gateway IP of the PIX. You can assigne PIX outside interface any free IP in the same subnet. Now we need to give inside interface a totally new subnet and whole of your internal network will also be in the same new subnet as of PIX's inside interface. Let me know if this suits you.

Regards,

Vibhor.

Re: Getting Started with PIX 506

srberg5219 — Wed, 21 Mar 2007 16:46:13 GMT

So if I understand correctly, this will be my setup:

1)Router IP: 192.168.254.1

2)PIX OUTSIDE interface: 192.168.254.2

3)PIX INSIDE Interface AND whole internal network: New subnet of 192.168.253.0/24.(or whatever new subnet I want to assign)

Re: Getting Started with PIX 506

acomiskey — Wed, 21 Mar 2007 18:29:43 GMT

If it were me, I would ditch the dsl router, get a dsl modem, assign 74.41.202.106 to the outside of pix, 192.168.254.1 to inside and be done with it. Then you won't have to change anything on the inside. Unless of course, you need an outside router. And it may have been easier to just change the transport network between the outside router and pix, rather than change your inside network.

Re: Getting Started with PIX 506

srberg5219 — Wed, 21 Mar 2007 20:16:06 GMT

My gratitude for everyone's time...