Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Which router should I go with

Status
Not open for further replies.
kmcferrin

kmcferrin

MIS
Joined
Jul 14, 2003
Messages
2,938
Location
US
I need to set up several companies in my building to have access to part of my network. I want to make sure that however I connect them that I will be able to control which of their systems get access to my internal network. The amount of data being exchanged will be significant, so I would like to do something at ethernet speeds, but I'm not sure which solution would be best.

My first thought is to get a PIX 501, make my network the inside interface, hang a switch off the outside interface, NAT my internal boxes to the outside address (using a class C private address), and then let them plug into the external switch as a sort of DMZ/buffer zone.

However, I'm not sure if I would run into problems with the way the PIX is designed to be used. So my next thought is to use one of my spare 1721 routers in a similar config. I've seen 4-port 10/100 switch WICs for the 1721, but not a single ethernet WIC. Not sure that makes a big difference. But then my question is, how much effort is it going to be to secure the router so that I can restrict traffic coming in and out?

I guess my basic question is, how would you go about connecting a relatively untrusted network to your network via ethernet?
 
Sort by date Sort by votes
I'd probably firewall it as you originally thought with a switch on the outside of the firewall to connect them all.

If they don't need to speak to each other, maybe put each switchport into its own VLAN as well. If some of them do need to speak with each other, perhaps consider a layer 3 switch instead and use ACL's on the switch to control who can talk to who.

Hope this helps
 
Upvote 0 Downvote
Just a thought, I was doing some more digging and brainstorming on this topic and I discovered that Cisco sells a PIX 515E with 6 interfaces. I assume I could also use one of these, assign one interface (or more) to be my internal and then have the remainder as separate external interfaces for multiple different external networks to connect to me, right? In that case it would be a snap to make sure that they don't pass traffic to each other, unless at some point they wanted to do so.

Does that make sense?
 
Upvote 0 Downvote
It does make sense yes.

As I recall though you can only have one inside and one outside interface. All the other interfaces become DMZ interfaces (less trusted then the inside interface but more trusted than the outside interface). I don't think this is a problem though - just a difference in terminology.

But yes I can't see why you can't terminate numerous networks on a fully-loaded PIX like you've described. The PIX will certainly allow granular and controlled access between each interface installed.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
321
Blackybear
Blackybear
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
559
CPM86
CPM86
jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
525
DavetheChef
DavetheChef
WinstonCH
  • Locked
  • Helpful tip Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
897
BIS
BIS
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
403
badwolf1686
B

Part and Inventory Search

Sponsor

Back
Top