Changing home network to include PIX 501 and a DMZ

I'll be making these changes later and just want to get some thoughts on my plan.

I want to add a PIX 501 to my network and create a DMZ for servers accessible from the Internet.

Currently my network is: Internet -> Netopia 2247 (SOHO gateway) -> Home LAN.
ADSL2+ Modem, NAT and routing is done on the Netopia.
Home LAN is a single IP network. (192.168.1.0/24)

I want to make this as simple as possible and build from there.

I'm thinking of changing it to this:
Internet -> Netopia -> PIX -> Home LAN

The Netopia has a 4 port switch so I'll have the DMZ come off the Netopia. One of the LAN switch ports of the Netopia will connect to E0 of the PIX. The LAN side of the PIX (E1 - E4) will be the Home LAN.

So in one IP network there'll be the LAN side of the Netopia, the servers and the WAN side of the PIX and in the other IP network there'll be the home LAN.

Thoughts? Cheers.

Image of network.

DMZnet.jpg
"There are 3 types of people in this world, those who can count and those who can't"

Comments

  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    The PIX will only defend your home LAN not the DMZ hosts with this arrangement. Is your broadband provider giving you a single dynamic IP? If so your attempts to have a hosted DMZ may need more thought.

    Does the Netopia provide DHCP for your LAN hosts? If so more potential headaches for your design.
  • Turgon wrote: »
    The PIX will only defend your home LAN not the DMZ hosts with this arrangement. Is your broadband provider giving you a single dynamic IP? If so your attempts to have a hosted DMZ may need more thought.

    Ah yeah, I understand that.
    The servers in the DMZ are behind the Netopia which provides a firewall and NAT for the DMZ which I assume provides some protection. Havn't done it yet, but will use the Netopia to port forward to the servers.

    Yep, dynamic IP assignment from my ISP but that's not an issue as I'm just playing around.
    Turgon wrote: »
    Does the Netopia provide DHCP for your LAN hosts? If so more potential headaches for your design.

    It's more or less up and running now.

    What I've done is:

    Disabled DHCP on the Netopia.
    Configured DHCP on the PIX for the Home LAN.
    Configured NAT on the PIX.
    Configured a default static route on the PIX to the inside IP of the Netopia.
    Configured a static route on the Netopia to the Home LAN network.

    Still some things I'm confused about:
    I thought that all traffic from the inside of the PIX is allowed outside and creates "established sessions" but I couldn't ping or RDP to a server in the DMZ.

    I created an ACL which permits the Home LAN network to RDP to a server in the DMZ and then it worked.

    Yet, the Home LAN network could get out onto the web without me having to create an ACL for HTTP or DNS...

    EDIT: Something else I'm confused about!
    Why is NAT required to be configured on the PIX? I originally just had the static routes configured because I thought if all destinations are known then everything will get delivered. But, communication between networks only works when NAT is configured on the PIX as well...


    Here's an image of the network:

    DMZnet3.jpg


    Here's the static route on the Netopia:
    route 10.10.10.0 255.255.255.0 192.168.1.253

    Here's some relavent lines from a show run on the PIX:

    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    access-list 101 permit tcp 10.10.10.0 255.255.255.0 host 192.168.1.200 eq 3389

    ip address outside 192.168.1.253 255.255.255.0
    ip address inside 10.10.10.1 255.255.255.0

    global (outside) 1 interface
    nat (inside) 1 10.10.10.0 255.255.255.0 0 0
    route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

    dhcpd address 10.10.10.2-10.10.10.10 inside
    dhcpd dns 208.67.222.222 208.67.220.220
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    "There are 3 types of people in this world, those who can count and those who can't"
Sign In or Register to comment.