Re: 2 firewalls 1 Internet connection

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 08/29/05 

Date: Mon, 29 Aug 2005 18:59:45 +0000 (UTC)

In article <1125338848.331725.139900@f14g2000cwb.googlegroups.com>,
Brian <Brian@amphenolpcd.com> wrote:
:Can I have two firewalls be "equals" behind our Internet access router?

Only if they are configured for "failover" to each other, or they
are configured in such a way that any given transaction is certain
to be processed by only one of the two firewalls.

You cannot configure a PIX running 6.x code to selectively proxy-arp
(at least not based on level 3 or level 4 information),
but you could have an outside router with policy routing that forwarded
packets selectively to the PIX's outside interface IP. To ensure that
replies went back to the PIX, you would either have an inside router
with a suitable policy routing, or else you would configure the PIX
to NAT the incoming -source- IP (normally it would de-NAT the
incoming -destination- IP); then packets would effectively be tagged
as to which of the firewalls they came in on.

Also, on a PIX if you do not static or nat an inside IP, then the PIX
will not proxy-arp for the IP. Thus if you

static (inside,outside) 12.13.14.15 192.168.14.15 netmask 255.255.255.255 0 0
static (inside,outside) 12.13.14.21 192.168.14.21 netmask 255.255.255.255 0 0

then the PIX would proxy arp for 12.13.14.15 and 12.13.14.21, but not
(for example) for 12.13.14.16. Hence, even though the inside interface
might be 12.13.14/24, if you do not static or nat a particular IP, the
PIX will not actively listen for it -- so if your netscreen -did- proxy
arp for the IP, the netscreen would get the traffic. 

-- 
   "No one has the right to destroy another person's belief by
   demanding empirical evidence."            -- Ann Landers

Relevant Pages

  • Re: NAT is happening but no commands to activate it
    ... agreed, but that's on the PIX, which is behind the router that's ... I looked at the router for the first time, and couldn't find any NAT ... this line should do the port-translation for https: ...
    (comp.dcom.sys.cisco)
  • Re: NAT is happening but no commands to activate it
    ... I got a basic Cisco knowledge but a good networking knowledge and I just ... I looked at the router for the first time, and couldn't find any NAT ... I attached the config of the Cisco and the PIX located at the first site. ...
    (comp.dcom.sys.cisco)
  • Simple ADSL Router with PIX
    ... I have an ADSL router and behind this a PIX. ... I can telnet to the public IP of the router fine. ... encapsulation aal5mux ppp dialer ... ip nat outside ...
    (comp.dcom.sys.cisco)
  • Re: Inbound connections on a 515e without NAT
    ... I haven't seen any indication that that is true, ... but there is no requirement that a router ... the PIX meets that definition. ... NAT and that anything else must be worked around. ...
    (comp.dcom.sys.cisco)
  • Re: VPN-1 Secureremote pass-through on a PIX 506
    ... I've seen this happen when the client site (behind a NAT router) is ... I've known this to be solved by setting up the Checkpoint ... This might not be the issue, since it works with the PIX. ... DSL router, fits with the symptoms I've seen. ...
    (comp.dcom.sys.cisco)