07-23-2003 09:45 AM - edited 03-09-2019 04:10 AM
Hi folks,
Here's the deal. I have a linksys firewall that connects to my cable modem. Behind that I have a wireless AP. Behind that AP I have a 1720 router with some ACLs acting as a secondary firewall. Thus creating some sort of DMZ. Problem is......... I have a web server and exchange server that I don't want to put in te DMZ. I Want to keep them behind the 1720. The linksys firewall can only NAT to the DMZ network. If I turn on NAT on the 1720, and make static NAT entries on the 1720 for mail and such then on the Linksys,make NAT entries for mail and web point to the 1720 DMZ interface. Will that work?
If so, any pointers?
Many thanks
07-29-2003 11:41 AM
I think this should work. I haven't been able to locate a document to illustrate it though.
07-29-2003 11:46 AM
Thanks for responding. I know it will work. I saw an illustration of it on some web site... lost it though. If I find I'll point you to it. I might end up using something like Microsoft's ISA server.
Thanks
07-29-2003 01:49 PM
Sure, I've actually done this w/ 2 Pix 506E's and it does work just fine. Bottom line, an inexpensive workaround to not having to dump 4k+ on a 515E. The config does create a mock screened subnet or DMZ. Not really any tricks to it, just use statics, NAT & global on the internal Pix which destinate onto the "DMZ" private addresses. On the external firewall, use 1-1 NAT (or whatever it's called) for the "DMZ" Pix static mappings to the actual public IP's:
pix linksys
10.0.0.1 <--> 192.168.0.1 <--> public IP
Only drawbacks I can think of are performance related - w/ ingress/egress filtering on both units, an extra network hop, two layers of nested NAT, two layers of IPSec overhead, & two layers of nested static mappings, the LAN users will notice a performance hit.
Also, the rulebase configs can get dicey. I configured VPN access to both, but on the external unit, you will need to open ports like 50/esp, 500/udp, to the internal Pix. Also, egress filtering on the external Pix I haven't gotten quite right yet w/o unexpectedly denying access to someone.
Best of luck.
-Jonathan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide