https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199804#M629440 <HTML><HEAD></HEAD><BODY><P>how able getting a cheap 1605 and using it as your gateway router and leave the entire setup inplace and just change the route statement on your current router.</P><P></P><P>then put the 1605 and the PIX infront of your network.</P><P></P><P>that would require the least amount of work. I would suggest getting a 2600 and using the CBAC since application layer filtering is love against virus's</P></BODY></HTML> Sun, 31 Aug 2003 19:09:05 GMT koaps 2003-08-31T19:09:05Z https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199802#M629438 <P>Hello there,</P><P></P><P>It's more question of design, so I'd really appreciate any ideas. Basically we have a leased line connection, it's connected thru serial interface to 1721 router. There are 12 VLANs (subinterfaces) setup on internal router's ethernet interface and there is a HP layer2/3 switch connected to the router, which maintain all those VLANs. We have decided to put a firewall (PIX 515E) between a router and a switch - now the main question: how to implement it, and preferably, save existing VLANs. We have a small range of static IPs, but they are for serial router's interface only - the internal interface has non-routable IP range. </P><P>Is it possible to use the same IP address on both PIX's interfaces ? Or is there any other way to go ?</P><P></P><P>Thanks,</P><P>Alexander </P> Fri, 21 Feb 2020 06:57:45 GMT https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199802#M629438 anthony.barlow 2020-02-21T06:57:45Z https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199803#M629439 <HTML><HEAD></HEAD><BODY><P>You don't talk about inter-VLAN routing. Here, i suppose you don't do it with the 1721.</P><P></P><P>One way to do what you are looking for is:</P><P>1- All 12 VLANs can be terminated into the PIX instead of 1721.</P><P>2- Then the PIX inside's IP addresses should be those actually assigned to 1721's e0 (including subinterface). That way, you don't have to reconfigure internal host's default gateway.</P><P>3- Now you need a new subnet between the PIX and the router.</P><P></P><P>This design doesn't consider any public server, if any, that should be move in the DMZ.</P><P></P><P>Regards</P><P></P><P>Ben</P><P></P></BODY></HTML> Sat, 30 Aug 2003 21:11:18 GMT https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199803#M629439 bdube 2003-08-30T21:11:18Z https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199804#M629440 <HTML><HEAD></HEAD><BODY><P>how able getting a cheap 1605 and using it as your gateway router and leave the entire setup inplace and just change the route statement on your current router.</P><P></P><P>then put the 1605 and the PIX infront of your network.</P><P></P><P>that would require the least amount of work. I would suggest getting a 2600 and using the CBAC since application layer filtering is love against virus's</P></BODY></HTML> Sun, 31 Aug 2003 19:09:05 GMT https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199804#M629440 koaps 2003-08-31T19:09:05Z https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199805#M629441 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>thanks for answer,</P><P>what would you tell me about </P><P>"ip unnumbered" for Serial0 interface ? That way, I'd move routable network behind the router and in front of the PIX.</P><P>Another question - in order to use existing VLANs - do i just need a number of different IP addresses to set up on PIX's internal Ethernet interface? How many can i set up for 515E at all (maximum) ?</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 01 Sep 2003 22:26:30 GMT https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199805#M629441 anthony.barlow 2003-09-01T22:26:30Z https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199806#M629442 <HTML><HEAD></HEAD><BODY><P>The ip unnumbered config looks perfect.</P><P></P><P>Yes, you just need a number of different IP addresses, one for each VLAN, to set up on PIX's internal interface.</P><P></P><P>But, there is a problem with the number of VLANs and the PIX model you have, the maximum described by Cisco is 8 VLANs.</P><P></P><P>Can you decrease this number of VLANs by cascading some nets behind others?</P><P></P><P>Ben</P><P></P></BODY></HTML> Tue, 02 Sep 2003 01:40:34 GMT https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199806#M629442 bdube 2003-09-02T01:40:34Z https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199807#M629443 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I spoke to Cisco support, it's possible to use PIX w/o VLAN setup, (part of tech article of </P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113411" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113411</A> </P><P>)</P><P></P><P>By default, with no VLANs configured, the PIX Firewall sends untagged</P><P>packets to any directly connected switch. If an untagged packet is received</P><P>by a switch on a trunk port, the switch forwards the packet on the native</P><P>VLAN assigned for that trunk port. By default, switches assign VLAN 1 to the</P><P>native VLAN.</P><P></P><P>I'm just wondering, in that case - how many IP addresses I can set up on PIX's ethernet interface ?</P><P></P><P></P></BODY></HTML> Wed, 03 Sep 2003 08:21:32 GMT https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199807#M629443 anthony.barlow 2003-09-03T08:21:32Z https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199808#M629444 <HTML><HEAD></HEAD><BODY><P>Anthony,</P><P></P><P>For security reason, you should not use VLAN 1, this one is normally reserved for switch management purpose only. Also, this doesn't solve the issue to join your 12 VLANs.</P><P></P><P>Koaps is proposing another solution who looks fine. Read his post.</P><P></P><P>Regards</P><P></P><P>Ben</P><P></P></BODY></HTML> Wed, 03 Sep 2003 13:18:00 GMT https://community.cisco.com/t5/network-security/how-to-get-pix-515-put-between-router-and-switch-design-issue/m-p/199808#M629444 bdube 2003-09-03T13:18:00Z