Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
3
Replies

Firewall Replacement IBM AIX to CISCO pix/FWSM

reggae3227
Level 1
Level 1

‎08-02-2004 06:23 AM - edited ‎02-20-2020 11:32 PM

In our network we currently have 4 external unsecure networks that customers use to access our internal secure network. Currently, we use 4 IBM AIX Secureway firewalls to filter the traffic. Upgrading and managing 4 seperate firewalls which are allowing

basically the same access with some variations to our internal network. The IBM AIX SECUREWAY product is going out of support by IBM and we are researching the possibilities of replacing the 4 AIX firewalls with 4 pix boxes as a one-to-one replacement. I have a problem with the one-to-one replacement again due to the management of 4 seperate

pix boxes. I was thinking of using a 6506 catalyst switch with the FWSM/VPN modules to acheive connectivity/filtering between the 4 external unsecure networks to our internal secure and DMZ networks and have the management of the firewall all in one box. Has anyone implemented this type of setup using 4 outside unsecure vlans filtering through to an internal secure network via another 6509 cat switch using the FWSM and how does it compare to managing multiple pix boxes.

0 Helpful
3 Replies 3

johnkelley
Level 1
Level 1

‎08-02-2004 09:10 AM

Operationally, I think you will find challenges in managing the policies depending on your size. Allowing connectivity between interfaces can be tricky even though they have disabled ASA for the most part. I think you should look into the possibility of using contexts instead of using one firewall to do all of it. Just a thought. And the FWSM context design is brand new with very little field time so users beware.

And if you are not familiar the idea of contexts. It is essentially one FWSM with multiple virtual Firewalls. So one piece of hardware, 4 virtual devices and 4 different change domains bla blah blah..

0 Helpful

reggae3227
Level 1
Level 1
In response to johnkelley

‎08-02-2004 10:08 AM

I am familar with the multiple contexts concept but only from reading the config guide. Do you have multiple contexts installed in a production environment? I wouldn't want the outside vlans to have connectivity to each other but do need inside networks to have connectivity to the all

of the outside vlans. Isn't the FWSM code based off the PIX concepts, only to get the full IPSEC functionality need to add the IPSEC VPN module along with the FWSM?

0 Helpful

johnkelley
Level 1
Level 1
In response to reggae3227

‎08-02-2004 11:26 AM

There are subtle differences, to those who are very familiar with the PIX. Such as, the lower to higher security interfaces (ASA) model is configurable. You can turn it on or off, when it’s off any interfaces that doesn't have an ACL traffic is automatically denied. You need to create ACL's to allow communication from one interface to another more like a router. Not too sure about the VPN capabilities on the FWSM don't use that function. We do not use multiple contexts as of yet, but we are looking into it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card