Re: PIX Design Considerations [7:48979]

2002-07-17 Thread Richard Tufaro 

Why don't people get the notion that a Firewall is essentially a router.
PIX = Firewall = Router... Firewall = Router. It ROUTES

 Jeffrey Reed  07/16 8:19 PM 
I?m still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router (not
controlled by them) that has three public class C subnets defined. They are
not using VLANs, so the router has an interface and two sub-interfaces going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is not
a router. Do I need to have another router between the PIX and the LAN to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces on
the internal interface of the PIX if we didn?t need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49014t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Design Considerations [7:48979]

2002-07-17 Thread Jeffrey Reed 

Richard, I used Nokia appliances running CheckPoint in a previous life and
it truly was a real router with a firewall application running on it. Very
capable of many different configuration options. I purchased a 501 PIX to
start playing with in the lab and a damn customer borrowed it and is now
asking me questions. I thought I heard on this board that the PIX is not a
router, hence my design question. I'm hoping I can get a better
understanding... Thanks!!


Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290


-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 7:47 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: PIX Design Considerations [7:48979]

Why don't people get the notion that a Firewall is essentially a router.
PIX = Firewall = Router... Firewall = Router. It ROUTES

 Jeffrey Reed  07/16 8:19 PM 
I?m still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router (not
controlled by them) that has three public class C subnets defined. They are
not using VLANs, so the router has an interface and two sub-interfaces going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is not
a router. Do I need to have another router between the PIX and the LAN to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces on
the internal interface of the PIX if we didn?t need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290
Confidential e-mail for addressee only.  Access to this e-mail by anyone
else is unauthorized.  If you have received this message in error, please
notify the sender immediately by reply e-mail and destroy the original
communication.  1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49015t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Design Considerations [7:48979]

2002-07-17 Thread Robertson, Douglas 

I am not sure I would class a PIX as a router in the true sense of the word,
yes it does route traffic from interface to interface but would I use it as
a router, NO, it only supports ONE routing protocol RIP, that does not
constitute a good router in my eyes. 

Now to the question, just reading the description (I may be
mis-understanding the topology a bit) but it sounds like you have one router
ethernet interface with subinterfaces with separate subnets going to a
switch.  
I do not see how the switches are not running VLAN's and the interface must
have ISL or 802.1q. Or you don't have subinterfaces but secondary addresses.
The PIX does not support subinterfaces or secondary addressing on any
interfaces, so in this case you would require a router.

Doug

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 7:47 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX Design Considerations [7:48979]


Why don't people get the notion that a Firewall is essentially a router.
PIX = Firewall = Router... Firewall = Router. It ROUTES

 Jeffrey Reed  07/16 8:19 PM 
I?m still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router (not
controlled by them) that has three public class C subnets defined. They are
not using VLANs, so the router has an interface and two sub-interfaces going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is not
a router. Do I need to have another router between the PIX and the LAN to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces on
the internal interface of the PIX if we didn?t need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49023t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Design Considerations [7:48979]

2002-07-17 Thread Ciaron Gogarty 

Hi Richard,

The simple answer to your question is yes you need a seperate router
outside the pix.  Leave your internal router alone and just add a default
route pointing at the pix interface .   

He doesn't necessarily have to be using VLANS as long as all the subnets is
routing for are on the same lan segment than the router just routes between
ip networks on the same wire.

The router you add to the scenario would be on the outside of the pix, and
would usually be connected to the  internet via a serial line, or possibly
another untrusted network.  This router than becomes the default route for
the pix itself.

You need to add a route inside command on the pix to route to the other
subnets hanging off your internal router.

You are correct, the pix performs some routing funtions but is not a fully
functional router - so you can't have things like secondary ip's on a pix
interface, therefor you need a device behind the pix that can route between
your internal networks.

outside router--pix--internalrouterip-segment
|-second-ip
segment 
|third-ip
segment


hope this helps,

C

-Original Message-
From: Robertson, Douglas [mailto:[EMAIL PROTECTED]]
Sent: 17 July 2002 15:50
To: [EMAIL PROTECTED]
Subject: RE: PIX Design Considerations [7:48979]


I am not sure I would class a PIX as a router in the true sense of the word,
yes it does route traffic from interface to interface but would I use it as
a router, NO, it only supports ONE routing protocol RIP, that does not
constitute a good router in my eyes. 

Now to the question, just reading the description (I may be
mis-understanding the topology a bit) but it sounds like you have one router
ethernet interface with subinterfaces with separate subnets going to a
switch.  
I do not see how the switches are not running VLAN's and the interface must
have ISL or 802.1q. Or you don't have subinterfaces but secondary addresses.
The PIX does not support subinterfaces or secondary addressing on any
interfaces, so in this case you would require a router.

Doug

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 7:47 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX Design Considerations [7:48979]


Why don't people get the notion that a Firewall is essentially a router.
PIX = Firewall = Router... Firewall = Router. It ROUTES

 Jeffrey Reed  07/16 8:19 PM 
I?m still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router (not
controlled by them) that has three public class C subnets defined. They are
not using VLANs, so the router has an interface and two sub-interfaces going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is not
a router. Do I need to have another router between the PIX and the LAN to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces on
the internal interface of the PIX if we didn?t need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept for the
presence of computer viruses.

For more information contact [EMAIL PROTECTED]

phone + 353 1 4093000

fax + 353 1 4093001

**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49025t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Design Considerations [7:48979]

2002-07-17 Thread Robertson, Douglas 

This is actually a little of topic now but it raised a question for me, how
do you add subinterfaces to a ethernet interface without enabling ISL/802.1q
from my experience the router does not permit this and requires that you
first enable ISL/802.1q. If you have ISL/802.1q you must have VLANs. Unless
you are using secondary addresses and not subinterfaces.

Doug

-Original Message-
From: Ciaron Gogarty [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 11:18 AM
To: Robertson, Douglas; [EMAIL PROTECTED]
Subject: RE: PIX Design Considerations [7:48979]


Hi Richard,

The simple answer to your question is yes you need a seperate router
outside the pix.  Leave your internal router alone and just add a default
route pointing at the pix interface .   

He doesn't necessarily have to be using VLANS as long as all the subnets is
routing for are on the same lan segment than the router just routes between
ip networks on the same wire.

The router you add to the scenario would be on the outside of the pix, and
would usually be connected to the  internet via a serial line, or possibly
another untrusted network.  This router than becomes the default route for
the pix itself.

You need to add a route inside command on the pix to route to the other
subnets hanging off your internal router.

You are correct, the pix performs some routing funtions but is not a fully
functional router - so you can't have things like secondary ip's on a pix
interface, therefor you need a device behind the pix that can route between
your internal networks.

outside router--pix--internalrouterip-segment
|-second-ip
segment 
|third-ip
segment


hope this helps,

C

-Original Message-
From: Robertson, Douglas [mailto:[EMAIL PROTECTED]]
Sent: 17 July 2002 15:50
To: [EMAIL PROTECTED]
Subject: RE: PIX Design Considerations [7:48979]


I am not sure I would class a PIX as a router in the true sense of the word,
yes it does route traffic from interface to interface but would I use it as
a router, NO, it only supports ONE routing protocol RIP, that does not
constitute a good router in my eyes. 

Now to the question, just reading the description (I may be
mis-understanding the topology a bit) but it sounds like you have one router
ethernet interface with subinterfaces with separate subnets going to a
switch.  
I do not see how the switches are not running VLAN's and the interface must
have ISL or 802.1q. Or you don't have subinterfaces but secondary addresses.
The PIX does not support subinterfaces or secondary addressing on any
interfaces, so in this case you would require a router.

Doug

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 7:47 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX Design Considerations [7:48979]


Why don't people get the notion that a Firewall is essentially a router.
PIX = Firewall = Router... Firewall = Router. It ROUTES

 Jeffrey Reed  07/16 8:19 PM 
I?m still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router (not
controlled by them) that has three public class C subnets defined. They are
not using VLANs, so the router has an interface and two sub-interfaces going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is not
a router. Do I need to have another router between the PIX and the LAN to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces on
the internal interface of the PIX if we didn?t need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept for the
presence of computer viruses.

For more information contact [EMAIL PROTECTED]

phone + 353 1 4093000

fax + 353 1 4093001

**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49027t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Design Considerations [7:48979]

2002-07-17 Thread Jeffrey Reed 

Can you do a dot1q trunk into a PIX?


Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 10:43 AM
To: [EMAIL PROTECTED]
Subject: FW: PIX Design Considerations [7:48979]

I would say place an internal router behind the pix so I can route
Your internal network, or vlans's that's the way we design it here
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Jeffrey Reed
Sent: Tuesday, July 16, 2002 7:19 PM
To: [EMAIL PROTECTED]
Subject: PIX Design Considerations [7:48979]

Im still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router
(not
controlled by them) that has three public class C subnets defined. They
are
not using VLANs, so the router has an interface and two sub-interfaces
going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is
not
a router. Do I need to have another router between the PIX and the LAN
to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces
on
the internal interface of the PIX if we didnt need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290
Confidential e-mail for addressee only.  Access to this e-mail by anyone
else is unauthorized.  If you have received this message in error, please
notify the sender immediately by reply e-mail and destroy the original
communication.  1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49026t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Design Considerations [7:48979]

2002-07-17 Thread Jeffrey Reed 

Sorry, I meant secondary interfaces... but you answered the question.
Thanks!!


Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robertson, Douglas
Sent: Wednesday, July 17, 2002 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX Design Considerations [7:48979]

I am not sure I would class a PIX as a router in the true sense of the word,
yes it does route traffic from interface to interface but would I use it as
a router, NO, it only supports ONE routing protocol RIP, that does not
constitute a good router in my eyes.

Now to the question, just reading the description (I may be
mis-understanding the topology a bit) but it sounds like you have one router
ethernet interface with subinterfaces with separate subnets going to a
switch.
I do not see how the switches are not running VLAN's and the interface must
have ISL or 802.1q. Or you don't have subinterfaces but secondary addresses.
The PIX does not support subinterfaces or secondary addressing on any
interfaces, so in this case you would require a router.

Doug

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 7:47 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX Design Considerations [7:48979]


Why don't people get the notion that a Firewall is essentially a router.
PIX = Firewall = Router... Firewall = Router. It ROUTES

 Jeffrey Reed  07/16 8:19 PM 
I?m still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router (not
controlled by them) that has three public class C subnets defined. They are
not using VLANs, so the router has an interface and two sub-interfaces going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is not
a router. Do I need to have another router between the PIX and the LAN to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces on
the internal interface of the PIX if we didn?t need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290
Confidential e-mail for addressee only.  Access to this e-mail by anyone
else is unauthorized.  If you have received this message in error, please
notify the sender immediately by reply e-mail and destroy the original
communication.  1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49029t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Design Considerations [7:48979]

2002-07-17 Thread Ciaron Gogarty 

Not yet, hopefully soon.  The only Firewall hardware platform that I'm aware
of that supports it is the Nokia with Checkpoint.

-Original Message-
From: Jeffrey Reed [mailto:[EMAIL PROTECTED]]
Sent: 17 July 2002 16:33
To: [EMAIL PROTECTED]
Subject: RE: PIX Design Considerations [7:48979]


Can you do a dot1q trunk into a PIX?


Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 17, 2002 10:43 AM
To: [EMAIL PROTECTED]
Subject: FW: PIX Design Considerations [7:48979]

I would say place an internal router behind the pix so I can route
Your internal network, or vlans's that's the way we design it here
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Jeffrey Reed
Sent: Tuesday, July 16, 2002 7:19 PM
To: [EMAIL PROTECTED]
Subject: PIX Design Considerations [7:48979]

Im still pretty green with PIX in general and was talking today about
introducing a PIX into an existing network. The customer has a router
(not
controlled by them) that has three public class C subnets defined. They
are
not using VLANs, so the router has an interface and two sub-interfaces
going
into a switches network. We want to put the PIX in between the outside
router and the LAN. I know this group has said several times the PIX is
not
a router. Do I need to have another router between the PIX and the LAN
to
perform routing between subnets? I assume the PIX will not facilitate
routing between the internal subnets. Can you define multiple interfaces
on
the internal interface of the PIX if we didnt need to route between the
internal VLANs?

Any suggestions would be appreciated!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290
Confidential e-mail for addressee only.  Access to this e-mail by anyone
else is unauthorized.  If you have received this message in error, please
notify the sender immediately by reply e-mail and destroy the original
communication.  1
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept for the
presence of computer viruses.

For more information contact [EMAIL PROTECTED]

phone + 353 1 4093000

fax + 353 1 4093001

**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49033t=48979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]