Skip to main content

Pix 506e and DMZ

More
17 years 10 months ago #19262 by Okie
Pix 506e and DMZ was created by Okie
I need to put an FTP server in a DMZ using a Pix 506e. Can someone point me to some configuration examples. The 506e has only 2 physical interfaces so the DMZ will have to be on a vlan, but most examples I have seen were written for Pix's with additional physical interfaces. I am having trouble wrapping my feeble mind around the concept. Thanks.
More
17 years 9 months ago #19716 by danherbon
Replied by danherbon on topic Re: Pix 506e and DMZ
I'm looking for the same information. I am trying to move a test webserver into the DMZ on a 506E as well.
More
17 years 9 months ago #19720 by Smurf
Replied by Smurf on topic Re: Pix 506e and DMZ
Sorry but i have not tried this before. Appart from setting this up using two firewalls and creating a DMZ between them, the only other thing is to configure it using 802.1q trunk to send over two VLAN's to a VLAN Switch.

This way you can segment the traffic into two VLAN's and route the traffic in this manor using virtual interfaces. sorry i have not tried this config though, maybe someone else can advise on the steps

I have pulled this off Cisco's site which supports my idea

"VLAN-based virtual interfaces:

· Provides increased flexibility when defining security policies and eases overall integration into switched network environments by supporting the creation of logical interfaces based on IEEE 802.1q VLAN tags, and the creation of security policies based on these virtual interfaces
· Supports multiple virtual interfaces on a single physical interface through VLAN trunking, with support for multiple VLAN trunks per Cisco PIX Security Appliance
· Supports up to 2 VLANs on a Cisco PIX 506E Security Appliance, providing a low-cost DMZ-enabled security solution that enables businesses to securely host Web servers, e-mail servers, and other services with the Internet or extranet environments"


Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 8 months ago #20100 by danherbon
Replied by danherbon on topic Re: Pix 506e and DMZ
With the help of d_jabsd, this is what we came up with. I did some preliminary testing over the weekend and everything seemed to function. hopefully i'll be able to test more and roll it out live.

1. PIX506E going into Port19 on the 2950. Port 19 has been setup as a Trunk Link.

2. I then created two VLANs on the 2950. VLAN 10, 192.168.1.0, where my workstation is and VLAN 20, 10.10.100.0, where my test web server is.

3. On the PIX, I had two interfaces listed. Inside and Outside. Inside is was set to 192.168.1.1. I assigned VLAN ID of 10 to this interface to coincide with VLAN 10 on the 2950.

4. Then I created another interface on the PIX named DMZ with a parent of ethernet1. security level of 50, ip of 10.10.100.1. i assigned it to VLAN ID of 20.

From there I ran out of time. but everything seemed to function. hopefully later this week I'll be able ot play around more with the ACLs and statics to get it fully working.
Time to create page: 0.127 seconds