Changing home network to include PIX 501 and a DMZ

I'll be making these changes later and just want to get some thoughts on my plan.

I want to add a PIX 501 to my network and create a DMZ for servers accessible from the Internet.

Currently my network is: Internet -> Netopia 2247 (SOHO gateway) -> Home LAN.
ADSL2+ Modem, NAT and routing is done on the Netopia.
Home LAN is a single IP network. (192.168.1.0/24)

I want to make this as simple as possible and build from there.

I'm thinking of changing it to this:
Internet -> Netopia -> PIX -> Home LAN

The Netopia has a 4 port switch so I'll have the DMZ come off the Netopia. One of the LAN switch ports of the Netopia will connect to E0 of the PIX. The LAN side of the PIX (E1 - E4) will be the Home LAN.

So in one IP network there'll be the LAN side of the Netopia, the servers and the WAN side of the PIX and in the other IP network there'll be the home LAN.

Thoughts? Cheers.

Image of network.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Turgon

The PIX will only defend your home LAN not the DMZ hosts with this arrangement. Is your broadband provider giving you a single dynamic IP? If so your attempts to have a hosted DMZ may need more thought.

Does the Netopia provide DHCP for your LAN hosts? If so more potential headaches for your design.

ConstantlyLearning

Turgon wrote: »

The PIX will only defend your home LAN not the DMZ hosts with this arrangement. Is your broadband provider giving you a single dynamic IP? If so your attempts to have a hosted DMZ may need more thought.

Ah yeah, I understand that.
The servers in the DMZ are behind the Netopia which provides a firewall and NAT for the DMZ which I assume provides some protection. Havn't done it yet, but will use the Netopia to port forward to the servers.

Yep, dynamic IP assignment from my ISP but that's not an issue as I'm just playing around.

Turgon wrote: »

Does the Netopia provide DHCP for your LAN hosts? If so more potential headaches for your design.

It's more or less up and running now.

What I've done is:

Disabled DHCP on the Netopia.
Configured DHCP on the PIX for the Home LAN.
Configured NAT on the PIX.
Configured a default static route on the PIX to the inside IP of the Netopia.
Configured a static route on the Netopia to the Home LAN network.

Still some things I'm confused about:
I thought that all traffic from the inside of the PIX is allowed outside and creates "established sessions" but I couldn't ping or RDP to a server in the DMZ.

I created an ACL which permits the Home LAN network to RDP to a server in the DMZ and then it worked.

Yet, the Home LAN network could get out onto the web without me having to create an ACL for HTTP or DNS...

EDIT: Something else I'm confused about!
Why is NAT required to be configured on the PIX? I originally just had the static routes configured because I thought if all destinations are known then everything will get delivered. But, communication between networks only works when NAT is configured on the PIX as well...

Here's an image of the network:

Here's the static route on the Netopia:
route 10.10.10.0 255.255.255.0 192.168.1.253

Here's some relavent lines from a show run on the PIX:

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-list 101 permit tcp 10.10.10.0 255.255.255.0 host 192.168.1.200 eq 3389

ip address outside 192.168.1.253 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0

global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

dhcpd address 10.10.10.2-10.10.10.10 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside