Re: Getting started with cisco

shainex · ‎05-12-2005

I need some advice. I am in charge of a network of about 100 computers. They are just connected by about 20 hubs. We have 6 dsl connections to the internet that are fairly evenly distributed among the 100 computers. The dsl has become so unreliable that we have had to order a T1. Once the T1 is running we will do away with the DSL lines. The ISP that is bringing in the T1 has suggested a 2620 router with a csu/dsu module already in it, a cisco firewall, and a cisco switch to get started. I already have the router, but have not yet ordered the switch or firewall. We need to be able to support a webserver and two separate LANs that should not be able to see each other at all. Our ISP says they will give us 16 IP Addresses with our new T1. I have a little experience with a pix 501 and I have read the Todd Lammle book, CCNA. Any advise would be appreciated, especially about what equipment to buy.

amit-singh · ‎05-12-2005

Hi,

Why do you need 16 public IP address. only 1 or at max 3 Ip address can do it for you. Use 1 public IP on router and set up NAT. You can also have 2 IP address on router and 1 or your PIX and let PIX do the natting. I have used PIX 501 and its a very handy product.

By-default it comes with 3 interfaces,

1 Outside with security 100

2 inside with security 0 and

3.DMZ interface with security 50

Now, the PIX rule says that you have to do a translation when any traffic is going from inside to outside. Anything coming from a higher security zone to lower security zone i.e outside to inside will be dropped. You have to specifically used Access-lists and some static statements to allow the access. Same rules goes for the traffic from DMZ to inside.

Please check this link and will clear your all the doubts.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63qsg/index.htm

HTH,

-amit singh

sudeesh79 · ‎05-15-2005

Mr.Amit

I think u need to check out the security level setti

ngs because the security level for the inside interface should always be 100 and the security lev

el of outside int should always be 0.otherwise u

are violating the rules of ASA.

regards

Sudhi

paddyxdoyle · ‎05-13-2005

Hi,

Is you web server accessible from the outside?

If so i would go for something bigger than a 501 as your web server should ideally be on its own physical interface hanging of the PIX (DMZ). This way when external users access your web server they are not entering your internal network as the firewall only permits them to the DMZ net.

If i had a bit of a budget i would have a 3750 switch with copper or fibre gigabit capabilities as the core/distribution switch providing layer 3 routing and a location for your servers and connection to WAN.

Depending on the location of your 100 PCs you could have 3550 switches as the access switches located on each floor connecting back to your 3750 using fibre or copper or if all your structured cabling terminates in a single location you could build a stack of 3750's and have one big switch cluster.

If you have more of a budget you could build your network around dual 3750 switches in the core/distribution for resillience and have your access layer switches and servers dual connected to your 3750's.

The 3750's are wire speed so your should notice major improvements over your current set up, plus as they are layer three switches you can create 2 vlans for each of your networks and provide access-list filtering on each VLAN interface to seperate the two networks.

HTH

Paddy

shainex · ‎05-13-2005

Do you think a pix 506 would be more what I would be looking for? Yes, our webserver needs to be accessible from outside. I think the 3750 is out of my price range. I was thinking more along the lines of a 2950, or possibly the 3550.

paddyxdoyle · ‎05-16-2005

The 506 still only supports 2 interfaces, if you can stretch to a 515 then you can have up to 6 interfaces and build a DMZ for your web server.

If you can't go for the 3750 switches another options would be to have 2950's at the edge providing your access layer and a 3560 EMI providing the distribution/core layer.

Having a layer 3 distribution/core layer will make your architecture much more scalable otherwise you will have to use your 2620 router for all interVLAN routing.

I'm not sure of your architecture but if switches are all in the same comms room you could use 1000BaseT copper GBICs on your 2950's and uplink them to a Cisco Catalyst 3560G-24TS with 24 Ethernet 10/100/1000 ports and 4 SFP ports. If you need to scale the distribution/core up in the future then you could use the fibre ports to connect to another 3560G-24TS switch.

HTH

Paddy