Switch for 6 interface PIX in Stateful failover

[rubbaninja]

Howdy,

I need to start setting up some solid DMZ nets off my 6 interface PIX firewall which is connected to another 6 interface PIX using stateful failover. e2 is being used for stateful of course connected to e2 on the secondary PIX. e3 4 and 5 are not being used but are connected via crossover and shutdown. Now it's time for me to get e3 up and start using it, which I have never done before. I am a newb with this part of the PIX.
So here is information I need help with:
1. What kind of switch should I get? There would be about 4 systems on e3, Mail, Peoplesoft web, FTP and IIS.
2. How do I connect the cables from the pix e3 to the switch then to the switch and back into e3 of the secondary?
3. Any other information you think I should know?

I have looked on CISCO's site, I have an account with them so if you find something you think might be interesting please feel free to give URL's that can only be accessed if you have an account with CCO. Please keep in mind that this is a 6 interface 515 version 5.3(1) using stateful failover and information for other setups just don't cut it, although I wish it would!

Thanks a bunch

 

[yizhar]

HI.

Here are some tips:

* Since you already have enough interfaces, I suggest that you use e4 and maybe e5 also. Install the mail server in a dedicated interface, and if applicable also use different interfaces to separate other servers, like FTP.
This separation will give you better control and security.
You can configure all DMZ interfaces with the same ASA security level like 50. This will cause the pix not to allow any traffic between DMZ interfaces unless it is specified in access-list.

* It's a good idea to upgrade to latest pix OS.
This is not directly related to the number of interfaces, but will give you more fixes, features and options, like PDM.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[rubbaninja]

Thanks for the tips. I was considering the same thing with the interfaces.

As for the finesse os, well, for me to change its just too much trouble... trust me. It's political rather than technical... =/

Still trying to figure how I need/want the hardware set up. Stateful makes things a little odd as well as the number of interfaces.

 

[Guest_imported]

A couple of things:

First, interfaces with the same security level on the PIX firewall cannot communicate with each other. It's normally recommended that every interface have a unique security level. However, if you specifically want DMZ's to NEVER communicate with each other, then you want to give them the same security level.

Also, as posted on a previous thread in the forum, you should do the following. This will help prevent any weird issues with the Pix failover.

- Enable portfast on all ports on the switch that connects directly to the PIX Firewall.
- Turn off trunking on all ports on the switch that connects directly to the PIX Firewall.
- Turn off port channeling on all ports on the switch that connects directly to the PIX Firewall.

 

[rubbaninja]

Thanks Puta, that helps a lot!

-beecee