RE: Double firewall setup (long)

["Greymagick" <greymagick () gmail com>]

Victor Williams said:
> Can you give us an indication of why you want/need to do this?

Sigh. As a matter of fact, I did not plan nor design this. This
unusual topology was imposed on me. I suppose the idea was to
isolate several DMZs, and instead of a 4-port NIC card for the
PIX, which would have been the obvious setup, there was another
PIX hanging around from elsewhere that was used instead.

I have the task of getting the show running, that's all. I'm new
to the job and this is the thing that, I suppose, nobody really
wanted to do.

> You can disable NAT altogether on the 2nd PIX and just have IP Addresses >
> pass 
> through as-is with no translation, and Cisco has documentation on how to >
> do 
> this.

You mean, let the internal PIX do all the NAT? Would that be
common practice? I may be a bit short-sighted here, but I don't
really see what would be gained through this instead of letting
the external PIX do the NAT and the internal one passing the IPs
unchanged. But I might consider that, should it prove easier to
configure. Still, I can't figure out any significant difference.

> Why don't you get a 4-port NIC 
> card for each firewall (giving you 4 physical DMZ's instead of one), and
> put 
> those firewalls into an Active/Failover setup?

Well, that certainly sounds like a fine idea, and I will try
fighting my way about that in the future. But as of now, I have
to get this running in roughly a week, so there's no time for
alternative topologies now. When it is running, I may go to
the CIO and say "I don't really like this thing and I want to
propose a better way to do it", and she might listen. But currently
this is what I'm stuck with.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards