Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
5
Helpful
2
Replies

PIX as a transparent (bridging) firewall?

Go to solution
cscott
Level 1
Level 1

‎03-13-2004 10:15 AM - edited ‎02-20-2020 11:17 PM

I'm currently doing a school project that involves the use of a PIX firewall between the ISP and the edge router of the network. The purpose is to make the network as secure as possible using only the PIX. Ideally, I'd like it if an attacker could not even see the PIX was there. This got me thinking about whether the PIX can act as a transparent firewall, that is, not have any IP addresses assigned to the interfaces nor do any routing, simply inspect/forward traffic between the inside/outside interface. Otherwise I am going to have to create a small /30 between the ISP and the PIX's outside, and the edge router and the PIX's inside and route between them.

If I have to do the latter, can you give me any advice on how to make the PIX more secure? Here is my config:

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password x encrypted

passwd x encrypted

hostname pixfirewall

domain-name pix.local

fixup protocol dns maximum-length 512

no fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit icmp any any echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.255.255.252

ip address inside 10.0.0.5 255.255.255.252

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name AttackPolicy attack action alarm drop reset

ip audit name InfoPolicy info action alarm drop reset

ip audit interface outside InfoPolicy

ip audit interface outside AttackPolicy

ip audit interface inside InfoPolicy

ip audit interface inside AttackPolicy

ip audit signature 2000 disable

ip audit signature 2004 disable

no pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 5

terminal width 80

Any help is appreciated! Thanks!

Chris

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-14-2004 12:12 PM

The PIX can't currently act as a Layer 2 firewall, this functionality will be in the next major release of code due out later this year. For the moment you'll need a small subnet in between the ISP and the PIX.

If you don't want people to see the PIX then first thing is to make sure it doesn't respond to pings. Use the "icmp" command for that (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574). Make sure you allow ICMP unreachables to the outside interface though so Path MTU Discovery can work properly (http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail).

Other than that it looks fine, pretty standard.

View solution in original post

2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-14-2004 12:12 PM

The PIX can't currently act as a Layer 2 firewall, this functionality will be in the next major release of code due out later this year. For the moment you'll need a small subnet in between the ISP and the PIX.

If you don't want people to see the PIX then first thing is to make sure it doesn't respond to pings. Use the "icmp" command for that (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574). Make sure you allow ICMP unreachables to the outside interface though so Path MTU Discovery can work properly (http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail).

Other than that it looks fine, pretty standard.

Go to solution
hugodrax
Level 1
Level 1
In response to gfullage

‎03-29-2004 11:35 PM

Will the PIX NG software :) Require Vlan configuration for both ends or is it going to be a drop in transparent bridging type L2 ??

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card