Murat,
My comment is don't do this. It violates a very fundamental
principal of network security, "keep your untrusted and your trusted
networks physically separated". There should also be no way for
an untrusted network to bypass your firewall, which there is in this
design.
There are lots of issues with this setup, but the most basic is that
you would need to bring untrusted traffic into the router, forward it
to the PIX, have the PIX forward it back to the same router and then
to the remote sites. Depending on how many LAN interfaces your
router has, you could probably make this happen, but its just not a
good idea.
If for any reason something in your configuration isn't setup
correctly, packets from the Internet could reach other remote sites
on your FR network without going through the firewall. In a good
perimeter design, this should not be possible.
I realize that this was probably setup this way to save money, but
how much money would it cost the company to have their entire
network compromised?
If cost is the primary concern, save the money on the PIX, use a
cheaper FW solution and get a separate physical line for your
Internet connection and a separate router.
HTH,
Kent
On 29 Mar 2001, at 10:19, Murat Kirmaci wrote:
> Hello Everybody,
> I would like to learn if I have got a Cisco router connected to frame
> relay network and over this frame relay network there are connections
> to their remote offices and another pvc to the INTERNET (not a
> seperate leased line), in addition to this also I have to insert a PIX
> firewall into this structure.
>
> I would be pleased to get your comments about this type of networks.
> should I do NAT in the router? If yes then How will I insert the PIX?
>
>
> Murat KIRMACI
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
