Using PIX without firewall features.

jet.pak · ‎02-08-2005

I need to install a PIX firewall to create a vpn tunnel from one site to another. However, the site currently has a Sonicwall firewall appliance in place already. I was thinking about just using the PIX as just a gateway on one end of the vpn tunnel and not have it act as a firewall. Does anyone know if this is possible? Is there a way to disable the firewall features on a PIX? Thanks.

dougz · ‎02-08-2005

To disable the firewall protection on a PIX, you would have to do this:

access-list inbound permit ip any any

access-group inbound in interface outside

That would effectively open the flood gates. The real question is do you really want to do this?

I would first consider a few options/issues:

1. How many public IP addresses do I have? If you have more than one available, could you run the PIX with another available IP address and have whichever device that is acting as the default gateway route traffic destined for the remote VPN endpoint to the PIX?

2. If you only have one available public IP address, can you replace the SonicWall with the PIX? Even a PIX 501 with a 10-user license has a throughput of 3mpbs (approx. 2 T-1s) when using 3DES encryption. The point being that the available bandwidth would more than cover even small offices while providing a secure tunnel.

3. It sounds like what you want to do is to create a tunnel not from network edge to network edge but from inside network to inside network. Will the SonicWall (plus whatever is at the remote end) handle this? Remember that there are NAT issues to resolve and the proper ports must be opened at least at the far end.

Just some things to think about.

Doug Zitzelsberger

dougz@lebanon-utilities.com

dougz · ‎02-08-2005

I forgot the nat and global statements. A wide open config should look more like this:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

access-list inbound permit ip any any

access-group inbound in interface outside

Just wanted to clarify.

Doug.

dbellaze · ‎02-08-2005

This is only wide open from inside to outside.

To open from outside to inside you need to configure static's to go along with the ACL.

For example if you are using 10.0.0.0/24 on your inside interface then this is what your static would look like.

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

Daniel

jet.pak · ‎02-09-2005

Doug, thanks for the reply. In a perfect world, I'd like to replace the Sonicwall appliance with the PIX. However, the Sonicwall is handling voice traffic. I'm not sure If I can completely do away with it....I have no experience with the Sonicwall unit. My client is very reluctant to remove it as well. Hence, the reason to change the role of the PIX. I'm pretty sure my client has several public addresses........so, your first option is something I'll have to investigate further. There will certainly be NAT issues to resolve. Perhaps I can disable the firewall features of the Sonicwall instead.....maybe that's a better solution? ...This way the PIX can be the VPN gateway and be a firewall. I don't know if this scenario would be any easier...but i'm considering it. Thanks again for your input.