Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
3
Replies

Does a Pix behind a 2nd Pix provide a mock DMZ network?

jonathan.green
Level 1
Level 1

‎01-22-2003 02:27 PM - edited ‎02-20-2020 10:30 PM

Hello-

Have a client that does not want to spring for a 515, so I'm trying to figure a way to connect the two 506's they already have to provide DMZ functionality. Does anyone know if a nested Pix config would work w/ two layers of NAT? Would static mappings to hosts behind the 2nd Pix be effective? And lastly, I'm guessing that VPN would work to both units if acl's on the first allowed VPN traffic to reach the 2nd?

Thank you,

Jonathan

0 Helpful
3 Replies 3

kagodfrey
Level 3
Level 3

‎01-22-2003 02:48 PM

Hi

If I'm reading it right you mean having a setup like:

(Internet)---[Pix1]---(dmz)---[Pix2]---(Internal LAN)

This setup would work fine with 2 layers of NAT, although statically mapping an internal LAN address to a 'DMZ' address on Pix 2 and then to a public address on Pix1 basically would provide no more security than not bothering with Pix2 at all, so I can't see it really being worth doing. Any host that needs a static mapping to an internet address really should remain in the DMZ area and not the internal LAN. Also, if you are intending to use an IPSEC based VPN tunnel on Pix2 it wouldnt work as the packets will be disguarded after they have been subjected to NAT on Pix1

Hope that helps

Kev

0 Helpful

jonathan.green
Level 1
Level 1
In response to kagodfrey

‎01-23-2003 04:00 PM

Appreciate the info, thank you.

I agree, and we are not planning on statically mapping servers behind Pix#2, I was simply curious if it could work.

Re IPSec, couldn't one avoid your concern by using NAT 0 w/ appropriate ACL's on Pix#1?

Thanks,

Jonathan

0 Helpful

jbouwkamp
Level 1
Level 1
In response to jonathan.green

‎01-26-2003 02:46 PM

I think 2 506's in line would work great for a DMZ. If you put the servers between the two pixs then it would in essence be a DMZ, just map static addresses to the servers and you still have the security of the inner 506. As for a VPN session you could do two things:

1. Terminate the VPN on the outer PIX and have the inner pix access-list allow through all private IP addresses assigned by the outer Pix for VPN access.

2. Or you could statically forward the packets through the first pix and have the second one terminate the VPN.

Basically whatever you do, have the VPN traffic avoid NAT....I would probably choose the second choice as that would have the VPN terminate on the inner pix just as if there was only one pix.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card