Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
3
Replies

is it proper to deploy the PIX535 like this?

yucheng.zhao
Level 1
Level 1

‎06-08-2001 07:36 AM - edited ‎03-08-2019 08:20 PM

hi folks, i have a problem deploying our PIX firewall. the following is our network topology:

(internet Bbone)--(GSR)--(6009)--(Alteon L4 switch)--(4009)--(PIX535&WEB/Email Servers)

[note: Alteon L4 switch is for load balance among servers.]

As far as i know, PIX is usually put between a router and a switch. but in this case, the PIX is not directly connected to the router, rather, ALL of the interfaces of the PIX are connected to the Cat4009 only, there are VLANs presented on the Cat4009. the servers, like the PIX, are also connected the Cat4009 via different VLANs.

my question is: Does the PIX still work in this case? i mean, it seems like all the inbround traffics from the internet can first reach the Email/web servers without the protection of the firewall, because the firewall's position makes it impossible to block any traffic from the outside network. the firewall only works when the servers respond to the inbound traffic, because the PIX can check the returned packets sent by servers.

is this topology all right for a network which need high security? or it doesn't work at all? is there a better solution?

any help will be greatly appreciated, thanx in advance.

Labels:
0 Helpful
3 Replies 3

thisisshanky
Level 11
Level 11

‎06-08-2001 08:32 AM

hi,

this network will not have enough security bcoz the firewall has to be placed between the internet and u r internal lan. a better design would be to put the pix after the l4 switch and put the servers in the DMZ of the PIX and the 4009 for the internal lan.

4009 shud be connected to inside interface of the PIX and the L4 switch shud be connected to outside interface of the switch.

with regards,

shanky

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

thisisshanky
Level 11
Level 11

‎06-08-2001 08:38 AM

hey i got a much better solution

email /web servers

|

|

Alteon L4 switch ( for load balancing)

|

| (DMZ)

|

|

|

pix-----4009---internal lan

|

|

|

|

6009

|

|

GSR

|

|

Internet BB

with regards

shanky

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

yucheng.zhao
Level 1
Level 1
In response to thisisshanky

‎06-11-2001 04:37 AM

Hi, shanky,

Thanx for your advice, it's really helpful, guess what? we are now considering redesigning the network topology, hehehe ...

Regards,

y.c.zhao :)

0 Helpful
Customers Also Viewed These Support Documents