Is PIX 501 possible in stealth (transparent) mode?

administrator · ‎07-29-2004

Facts:

One LAN (10.73.21.0/255.255.255.128)

Gateway: 10.73.21.1

No NAT wanted.

60 computers on LAN.

Wanted net example config:

PC01 (10.73.21.45) -->

PIX inside (10.73.21.5) -->

PIX Outside (10.73.21.7) -->

Router (10.73.21.1) -->

MAN -->

Internet

Q:

Is it possible to use the PIX 501 as a firewall without NAT in stealth mode? I don't want to translate any adresses. I've discovered that it's impossible to set two IP addresses from the same subnet on both inside and outside interface on the PIX, so what can I do?

Any solution that helps without configuring NAT on the PIX is all right.

So very thankful for all help I can get!

Anders Bjurstrom

cscott · ‎07-29-2004

The PIX cannot run at Layer 2 and be completely transparent, if that is what you are getting at.

The closest I have been able to get the PIX to being transparent and do what you are trying to accomplish is by issuing a

NAT (inside) 0 0 0

And simply routing between the subnets of the PIX. So your PIX outside interface would be 10.73.21.7/24 and the inside would be 10.73.22.1/24 with your clients encompassing the rest of that class C. Of course, you could subnet that however you'd like.

To aid in your stealthing, you'll need to turn off ICMP at the interface, and disable any services (SSH, Telnet, SNMP, etc) which are reachable on the PIX or limit them to the administrative IP addresses on the network.

It's possible to make the PIX pretty stealthy, but things will be a lot better with 7.0 when the PIX can run in L2 transparent mode.

Hope this helps you.

scoclayton · ‎07-29-2004

All good info here. I just wanted to throw one other little tidbit of information to let you guys know that the PIX 501 and 506/506E will not be supported initially by PIX 7.0 code. They will be included in a follow on release (7.1) which will be released shortly after the initial 7.0 launch. So transparent firewalling will not be in the PIX 501's (as is being used in this case) for at least a little while.

Scott

hugodrax · ‎07-29-2004

Interesting information I guess its probably because of the hardware difference or cpu optimizations differences between platforms. Typically release have been a one platform type thing from 6 up

administrator · ‎07-29-2004

Thank's for the info!

Do you have any idea of when we can expect v. 7.1 to be released?

Regards,

Anders

scoclayton · ‎07-30-2004

No timeframe set for the 7.1 release (7.0 hasn't even hit the streets yet) but it would be safe to assume 7.1 will not be ready until the Spring of '05.

Scott

cscott · ‎07-29-2004

Bummer.

So is the 6.3.3 or 6.3.4 code on the 501/506e units going to interact well with a 515 running 7.0 and serving as the VPN head-end? Or should we wait for 7.1?

scoclayton · ‎07-29-2004

IPSec is IPSec so version on the PIX should not matter. You should be fine with the scenerio above.

Scott

administrator · ‎07-29-2004

Thank you very much!

Unfortunally, this was the answer I was afraid of. Why is it that so few (or even none) manufacturers have firewalls that feature transparent mode on devices for about 50-100 users and cost around $400-500? 3Com had one before (OfficeConnect Internet Firewall DMZ), but you can't buy that one anymore. They have the OfficeConnect Internet Firewall 25, but it's only for 25 connections. I've looked into Cisco, 3Com, D-Link, Netscreen, NetGear etc., but no one have a firewall that supports L2 transparent mode for a reasonable price.

Well, I just have to wait for the release of v. 7.1 then. Tank you all for your answers!

Regards,

Anders Bjurstrom

mostiguy · ‎08-03-2004

I think all netscreens support l2 firewalling. IOS does too.

Terry Pattinson · ‎08-06-2004

Just a thought - could the "transparent firewall" operation not be achieved by implementing a proxy-arp type setup? i.e. the pcs are in 10.73.21.0/24, but the 4 Pix firewall interfaces are laid out in /25 blocks. outside could be 10.73.21.62/24, dmz1 could be 10.73.21.126, dmz2 could be 10.73.21.190 and inside could be 10.73.21.254. All of the equipment is configured with routing and mask as if the PIX wasn't there. The PIX would proxy-arp as needed to knit the 4 subnets together. Comments?

Terry Pattinson · ‎08-06-2004

hmmm, on further investigation, proxy-arp implementation on the PIX may not implement proxy-arp as defined in RFC 1027.

The limit of the proxy-arp functionality may be to "ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests)".

This would make sense in light of the known vulnerabilities of proxy-arp. If anyone knows different, let me know.