PIX is a hardware firewall device, in simple terms, each interface is
considered a
seperate network, PIX does routing as well ( inside interface -> inside
interface,
inside interface -> outside interface & outside interface -> inside
interface)
you will need to create static and conduit statements, to go from low
security to
high security. (these are not dynamic) you will also need to use the
global statement
for high security to low security.
4.3(2) was barely VPN compatible (no ip local pool command), I believe
in 4.3(2)
which I worked with, could only do PIX <-> PIX VPN with the updated DES
license.
you can use NAT, and create a 10.0.0.0/8 network and
you will have 16,000,000 some odd hosts for that network, no need for
DHCP on the inside. IF you want to do PAT, you'll need more than one IP
address
and if you want dedicated web servers inside the PIX you'll need even
more dedicated
outside IP Addresses and set up a 1:1 relationship between outside and
inside.
I had a PIX 510 dropped in my lap, cause the company didn't want to
spend the
$20,000 - $40,000 the consultant wanted to install it. It's a fairly
complex
piece of hardware. If you wish to do Windows networking through the PIX,
I wish
you the best of luck.
link on cisco web site for PIX v4.3(2) commands
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cmd.htm
"Cthulu, CCIE Candidate" wrote:
>
> Hey, Rodgers,
>
> Thanks! Hope you don't mind, you are the only one to respond directly, can
> you answer these?
>
> Why would getting an IP address dynamically assigned to the PIX's outside
> interface be a security risk?
>
> Also, if the PIX can't act as a DHCP server, what the heck is this command
> for:
>
> ip local pool
>
> "The ip local pool command lets you create a pool of local addresses to be
> used for assigning dynamic
> ip addresses to remote VPN clients. The address range of this pool of local
> addresses must not overlap
> with any command statement that lets you specify an IP address. To delete an
> address pool, use the no
> ip local pool command. Use the show ip local pool command to view usage
> information about the pool
> of local addresses."
>
> If I read that correctly, I can run some VPN software on my"remote" computer
> and have it get an IP address from the PIX? (inside interface?)
>
> TIA,
>
> Charles
>
> ""Rodgers Moore"" <[EMAIL PROTECTED]> wrote in message
> 8qdh7m$94h$[EMAIL PROTECTED]">news:8qdh7m$94h$[EMAIL PROTECTED]...
> > Nope. Besides that would be contrary to good security policy.
> >
> > Rodgers Moore
> >
> > ""Cthulu, CCIE Candidate"" <[EMAIL PROTECTED]> wrote in message
> > 8qb0n2$cip$[EMAIL PROTECTED]">news:8qb0n2$cip$[EMAIL PROTECTED]...
> > > Hi, all,
> > >
> > > Sorry for the cutesy subject header. I just got aholt of a Pix
> firewall;
> > t
> > > was laying the office and I stumbled over it on my way to the vending
> > > machine to pick up some Oreos. After I ate my Oreos (a little stale,
> > thanks
> > > for asking), I realized that this was a Pix firewall! I am 100% new to
> > the
> > > PIX, but that's irrelevant...
> > >
> > > I immediately put it on our network like this:
> > >
> > > My laptop <-----> Ethernet 1 PIX Firewall Ethernet 0
> <------->Catalyst
> > > 2900XL
> > >
> > > Anyways, I am going to learn it, adn learn it good. My question is:
> can
> > I
> > > set up any of the interfaces to dynamically acquire an IP address via
> > DHCP?
> > > I want ehternet 0 to acquire an IP address from our DHCP server.
> > >
> > > If the PIX supports it, I will put a DHCP server on it to service my
> > laptop
> > > on ethernet 1. if it doesn't I am going to statically assign an IP
> > address
> > > to teh laptop and to ethernet 1, and run NAT to translate between
> > > inside/outside addresses.
> > >
> > > What am I trying to accomplish? Nothing, just a learning experience for
> > me.
> > > Time to upgrade the image!
> > >
> > >
> > > TIA,
> > >
> > > Charles
> > >
> > >
> > >
> > >
> > > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > > http://www.groupstudy.com/list/Associates.html
> > > _________________________________
> > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >
> >
> >
> > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > http://www.groupstudy.com/list/Associates.html
> > _________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
