Firewall & Router DMZ Setup 1

[Barkmull]

I am pretty new to this, so please bear with me if I ask stupid questions. I have a Cisco 515E PIX Firewall and a Linksys router. The linksys router does PPPOE to connect to the internet. (I am planning to replace the Linksys with a Cisco 1605 sometime in the future). I want to create a DMZ with the Linksys and the 515E. The physical configuration will look like this:

WAN
Linksys
Switch
Cisco 515E
LAN

I want to use 10.0.0.1 for the inside interface of the Linksys and 10.0.0.2 for the outside interface of the Cisco 515E. The outside address of the Linksys is 209.147.x.x and the inside address of the Cisco 515E is 192.168.11.2. Here are my qusetions:

1. Should I use the DMZ Host feature on the Linksys to avoid double NAT? Am I reducing security by doing this?
2. Should the "route (outside) 0.0.0.0 0.0.0.0" statement point to 10.0.0.1 or 209.147.x.x?
3. Should my access-lists permit traffic from 10.0.0.1 or 209.147.x.x?

Any other pointers would be greatly appreciated.

Sorry for the long post, but I am just learning this stuff.

Thanks!

 

[SWFLHosting]

hey bark,

I just replaced my linksys AP/router with a 2611


old setup:
cable modem {DHCP IP} <-> Linksys (BEFW11S4) {NAT PRIV} <-> switch & hub

new setup:
cable modem {DHCP IP} <--> Cisco 2611 {NAT 10.0.1.x} <--> switch (HP 4000M)

I am now trying to write an A-L for the 2611 ... *rolling eyes .. no fun*


For Your setup,
1. I'd make the PIX the DMZ host - but my question ... why run a switch before the PIX ? are you planning on having workstations outside of the PIX protected network & just certain machines such as servers behind it?!

2. If you are running the LInksys AP|router, it NATs already for you, and gives you a private IP ... in that case you'd point the zero route to the IP of the EXTERNAL PIX nic - which would still be private.

3. 10.x.y.z

 

[Barkmull]

Hi SWFLHosting,

Thank you very much for your input.

The reason I want to have a switch is so I can put a web server and possible an IDS sniffer there. I want to have the option of putting servers in the DMZ.

I am also planning to replace the Linksys router with a 1605 (can't afford a 2611...=P) and do PPPOE with it. If I do that It will look like this

DSL Modem <-> 1605 <-> Switch <-> PIX 515E <-> LAN

I guess this setup will not chang anything, I just have to look up how to make the 1605 a DMZ host.

Thanks again for the post!

 

[SWFLHosting]

Bark,

If you have a Linksys and will keep it in, the DMZ option should be located under ADVANCED ...

If you take the Linksys out of the chain, your 1605 will take the PUBLIC IP address yoru ISP gives to you.

Your current setup:

External IP | device | Internal
--------------------------------------------
{pvc #/#} | DSL modem | 209.147.x.x
209.147.x.x | LinkSys | 10.0.0.1 (*1)*NAT
10.0.0.1-.254 | switch | 10.0.0.1-.254 (*2)
10.0.0.133 | Cisco515E | 10.1.2.x-y 2nd NATing
10.1.2.1-.254 | LAN | 10.1.2.1-.254 (*3)





(*1) Here you would set your DMZ node to 10.0.0.133
(*2) @ this level you would place your webserver with 10.0.0.x IP's
(*3) Here you would run your *workstaions|playstation*



--marco

 

[SWFLHosting]

Or the 2nd of your versions w/ the 1605


External IP | device | Internal
--------------------------------------------
{pvc #/#} | DSL modem | 209.147.x.x
209.147.x.x | Cisco1605 | 10.0.0.1 (*1)*NAT
10.0.0.1-.127 | switch | 10.0.0.1-.127 (*2)
10.0.0.128 | Cisco515E | 10.0.0.128-.254
10.0.0.128-.254 | LAN | 10.0.0.128-.254 (*3)



(*1) Here you would NAT & create 1 static route to 10.0.0.128
*2) @ this level you would place your webserver(s) | sniffers with 10.0.0.1-.127 IP's
(*3) Here you would run your *workstaions|playstation* 10.0.0.128-.254