Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ with 506E

Status
Not open for further replies.
caswcu

caswcu

Technical User
Feb 16, 2005
93
US
Currently we have our dsl modem going into a PIX 506E.

We just purchased a new piece of software/server for our business. The server is required to sit in a DMZ. The 506E with IOS 6.2 cannot do a DMZ. To update to the latest IOS it seems to be around $700.

I believe I have two options

dsl->cisco 801->506e
|
|>DMZ

or replace the 506e with something else.

What should I do?

Thanks
 
Sort by date Sort by votes
Consider getting a 515E UR. It is the least expensive PIX that has all features and allows growth. Most networks are going with multiple DMZs even in ROBOs.

 
Upvote 0 Downvote
Get a cheap hub and place between the 506 and a router.

--internet----PIX---hub---Router---LAN

The PIX will handle most of the firewalling and pass both the "poor mans' DMZ traffic AND the normal LAN traffic. The router will have an access list that prevents DMZ traffic from entering the LAN unless it is allowed to pass. If you are clever, you can set up a NAT pool of addresses on the PIX and run static NATs to the hosts on the DMZ to further tighten it down. Same applies for the router, NAT on the LAN side so the "DMZ" looks to have a local address on the LAN.

There are more than a few ways to do this, I did it for 4 years till I got around to putting in a firewall with a DMZ. If you have a choice, there are several Linux based firewalls that support true DMZs. Astaro, Smoothwall, Gibraltar all work well and are commercial products with 800 number support. For free, a favorite is m0nowall running on a WRAP board which is good for about 15Mbps of throughput. On a normal PC chassis, there is nore throughput due to the beefier CPUs.

MikeS

Home of the book "Network Security Using Linux"
 
Upvote 0 Downvote
Shouldn't it be...

Internet -- Router -- Hub(Switch) -- PIX -- LAN

Either way, that would make the most sense.. It would allow the machine full access to the net without worrying about the firewall issues with the PIX.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
LloydSev : your way is what I was originally thinking! The computer that needed to sit on the DMZ would attach to the Router right? I wont be getting a switch until needed!
 
Upvote 0 Downvote
Well if your router has a built in switch, then yeah you could do that.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
try sub-interfaces w/802.1Q encapsulation

you can use a switch and configure different vlans for the DMZ and Inside network. You can keep the subnets from communication with ACLs
 
Upvote 0 Downvote
Sub Interfaces on the 506e???

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
255
kythri
kythri
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
246
ISDPCMAN
ISDPCMAN
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
332
hairlessupportmonkey
hairlessupportmonkey
Jimbo2015
  • Locked
  • Question
Avaya - Watch guard issue with keep alives
Replies
1
Views
281
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top