[c-nsp] PIX and C5RSM

mikus der.mikus at gmail.com
Sun Mar 27 14:56:38 EST 2005 

I don't think the c5k rsm will be able to handle these duties for
you...  If I understand your description correctly, vlan 10/20 are the
host nets, and 11/21 are transits to get to the pix.  You want both
host networks to reach each other and outside via the pix.

Ideal way to do this would to have a single router do VRF's for each
of the host networks, essentially VRF-Lite where it's only doing
virtual routers, and not full mpls/bgp.  What this will give you is
each host network having a separate routing table (no directly
connected routes between the protected lans), and either static route
or do something like ospf with the pix.  I do something similar at
home with a 2621 running 12.2T with a global network simply for access
to a management vlan, and two vrf's for "user networks" (PIX inside)
and "server networks" (PIX DMZ).  I have an etherswitch module in
there trunked to the pix and doing SVI's for the gateways for those
vrf-forwarded lans, each with an ospf vrf instance adjacent to the pix
learning a default for those stubs via a /30 transit net.  All host L3
is done by the 2621 and always routes through the pix for next-hop
default.

I mostly use this for lab here because I'm cheap and it's only my
house lan, but works well for tiered architectures like you're trying
to accomplish.  You might be able to do force traffic with PBR to go
next-hop via the pix, as ive done this ages ago for a customer before
the advent of VRF's where certain interfaces needed to override
directly connected routes to get to a firewall, but this gets messy
and there are security concerns if some traffic isn't caught by the
PBR.

If your network is production, I would recommend obviously a bit more
robust hardware than I use, but just about any low-end gear can handle
this, even a 2600 or 3550 with EMI images.  Most cisco gear with
enough ram, flash, and current versions of ios support VRF's these
days.  I don't think you can even get into 12.0 with RSM's, so that
will bork that idea.  My suggestion would be to separate out the L3
functionality into something newer and more capable and try the
vrf-lite approach.

As for pix mailing lists, try Cisco's NetPro discussion forums:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_messages%26mode%3Dnew%26location%3D.ee6e1fa

-mb


On Sat, 26 Mar 2005 19:46:07 -0600, Sean Granger
<sgranger at randfinancial.com> wrote:
> Scenario =
> 
> PIX with 3 interfaces: Inside, Outside and DMZ.
> 
> 2 VLAN-Ints on C5RSM:
> VLAN10 - Inside gateway, redirection for the segment.
> VLAN11 - Connects to PIX Inside interface.
> 
> Everything is working as should be expected.
> In order for Inside hosts to reach the Outside or DMZ, they are forced through the PIX.
> And vice versa. Standard issue stuff.
> 
> There is another standalone router [a seriously underutilized 7204VXR(!!)] in the DMZ segment ...
> Used for? You guessed it, redirection (have to love the PIX).
> This is an utter waste of (nice) routing equipment and I'd like to change it.
> 
> Problem:
> 
> The simplest explanation of how I'd like to redesign it would be as follows:
> 
> 2 MORE VLAN-Ints on C5RSM:
> VLAN 20 - DMZ gateway, redirection for the segment.
> VLAN 21 - Connects to PIX DMZ Interface.
> 
> However, if I bring the segment facing the protected hosts into the C5RSM, it will always prefer the directly connected route and switch across the VLANs.
> 
> Traffic between the VLANs 10 and 20 will never be firewalled and the PIX will only be used to/from the Outside. Bad, bad, bad.
> 
> Thus, I'm looking for some novel ideas on how to FORCE the traffic through the PIX.
> I can't think of any way to effectively change the connected route's cost.
> This doesn't seem like an overly complicated setup (I doubt people are wasting routers for PIX installs and/or using host route entries) and I feel like I'm just missing something in the visualization process.
> 
> Any advice greatly appreciated.
> 
> Regards,
> Sean
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list