PIX Routing
RG
Cisco modem router ( external ip: xxx.xxx.xxx.248, internal ip:
xxx.xxx.xxx.249)
||
|| Subnet 255.255.255.248
V
Cisco pix 501
||
||
V
Mail server
This mail server is currently NATed where static command says all
connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
Also, appropriate access-list has been setup.
I would like to change the mailserver ip to xxx.xxx.xxx.252, and have
pix 501 route port 25 requests to this mail server. Does this mean I
have to use up 2 more static ip's, an ip for pix's external interface
and an ip for pix's internal interface? Or if you have a different
way to do it, I would appreciate if you could let me know.
Thanks in advance
Techno_Guy
You lost me...
Let just summarize to make sure I understand.
1 You want to change the ip address of the mail server
2 What are you doing with the old ip of the current email server?
The pix is not routing port 25 traffic, it is translating.
Is the outside interface of the pix currently running a public address
or a private address?
RG
> On Dec 8, 4:17 pm, RG <rgelfa...@gmail.com> wrote:
>
>
>
>
>
> > My topology is as follows:
>
> > Cisco modem router ( external ip: xxx.xxx.xxx.248, internal ip:
> > xxx.xxx.xxx.249)
> > ||
> > || Subnet 255.255.255.248
> > V
> > Cisco pix 501
> > ||
> > ||
> > V
> > Mail server
>
> > This mail server is currently NATed where static command says all
> > connections on port 25 for ip xxx.xxx.xxx.252 go to 192.168.1.10.
> > Also, appropriate access-list has been setup.
>
> > I would like to change the mailserver ip to xxx.xxx.xxx.252, and have
> > pix 501 route port 25 requests to this mail server. Does this mean I
> > have to use up 2 more static ip's, an ip for pix's external interface
> > and an ip for pix's internal interface? Or if you have a different
> > way to do it, I would appreciate if you could let me know.
>
> > Thanks in advance
>
> You lost me...
>
> Let just summarize to make sure I understand.
> 1 You want to change the ip address of the mail server
I would like to change the ip address of mail server from internal
ip adress to public ip address.
> 2 What are you doing with the old ip of the current email server?
>
> The pix is not routing port 25 traffic, it is translating.
If I am not mistaken, there is something called "transparent" firewall
configuration where you are doing away with NAT and only do access-
list filtering.
>
> Is the outside interface of the pix currently running a public address
> or a private address?
The outside interface is running on public address.
Thanks for your help
Doug McIntyre
> I would like to change the ip address of mail server from internal
>ip adress to public ip address.
Not on a PIX501 you can't. They are pure NAT boxes, nothing but NAT.
Even if you routed down public IPs through them, and put your internal
interface on public IPs, they'd still be doing NAT internally.
>If I am not mistaken, there is something called "transparent" firewall
>configuration where you are doing away with NAT and only do access-
>list filtering.
The 501 doesn't support transparent mode. The ASA's running new enough
code can do Transparent mode, but not the 501. With PCI-DSS requiring
NAT mode firewall with private IPs anyway, and in transparent mode you
need to have enough public IPs for all your systems, its not too
popular of an option. Other boxes do it better, having been around
alot longer supporting it, such as the Netscreen/Juniper or FortiGates.
>> Is the outside interface of the pix currently running a public address
>> or a private address?
>The outside interface is running on public address.
Which is where it'll have to stay on a 501.
RG
For purposes of transparent firewall, which one would you recommend
more Netscreen/Juniper or FortiGates?
I found that cisco pix 501 very descent and solid firewall. It is
highly configurable and doesn't seem to break.
Would you say the same about Netscreen/Juniper or FortiGates when used
in transparent mode?
Also, is Netscreen/Juniper or FortiGates sip aware?
Thanks again
Doug McIntyre
>For purposes of transparent firewall, which one would you recommend
>more Netscreen/Juniper or FortiGates?
I haven't used the new Juniper SRX's, so I can't say how stable they
are. With Juniper's reputation, and past experience with the Netscreen
and SSG boxes, they should be solid.
I've been using FortiGate for all my deployments in the past 3 years.
I'd say they are the way to go, very solid and dependable. Huge range
of products, so it may be hard to choose what you need, if you are
talking about a 501, though, a 50B is plenty for your needs.
The bigger ones might be nicer if you need more ports/zones for your network.
>I found that cisco pix 501 very descent and solid firewall. It is
>highly configurable and doesn't seem to break.
>Would you say the same about Netscreen/Juniper or FortiGates when used
>in transparent mode?
Definately. World apart from Sonicwall and the others in their class.
Junpier and Fortinet make good products (like cisco).
>Also, is Netscreen/Juniper or FortiGates sip aware?
Yep. SIP and H.232 are fully supported. You do have to configure
things specificly to recognize these protocols, so make sure to read
up on the technotes.
alexd
McIntyre chose the tried and tested strategy of:
> RG <rgel...@gmail.com> writes:
>>Would you say the same about Netscreen/Juniper or FortiGates when used
>>in transparent mode?
> Definately. World apart from Sonicwall and the others in their class.
> Junpier and Fortinet make good products (like cisco).
I regularly see you recommend Juniper here. Could you suggest an
introductory guide to SSG that would make sense to someone who was familiar
with IOS, ASA and SonicOS?
--
<http://ale.cx/> (AIM:troffasky) (UnSoEs...@ale.cx)
19:23:02 up 12 days, 23:14, 7 users, load average: 0.04, 0.13, 0.11
Plant food is a made up drug
Doug McIntyre
>I regularly see you recommend Juniper here. Could you suggest an
>introductory guide to SSG that would make sense to someone who was familiar
>with IOS, ASA and SonicOS?
Hmm, I've probably been pushing Fortigate more often lately, having
deployed them alot more in the last few years than Juniper firewall
setups (although I did plenty of those in the past as well, as well as
PIX deployements). Plenty of Transparent mode setups on either of the
Juniper or Fortigate setups, although not too many lately.
The SSG's are all EOL'd, replaced the SRX's, which are vastly
different boxes. The SSG was just another version of the Netscreen products.
The SRX is when they converted everything over to JunOSse.
I don't know of any high-level comparisons without going and getting a
book for the Juniper/Netscreen ones. There are a few good ones on
Netscreen Firewalls, but a couple I've read had some good high point
overviews of Juniper vs. Cisco.
BUT what I usually go for is going direct to the source documentation,
which all 3 companies have fully online, open to the public.
Like any computer documentation, each company has its own "style" and
layout, and it does take a bit of thinking to get used to their style
of doing things.
Ie. if you did want to start with the older, EOL'd SSG boxes, the
Fundementals of the Netscreen Concepts and Examples manual is where to start.
http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_fundamentals.pdf
Just go up one level to the directory URL for the rest of the documentation in
that series, but the fundementals would be a good start.
The SRX documentation is here.
http://www.juniper.net/techpubs/software/junos-srx/junos-srx10.0/index.html
There's not really a good starting point with the SRX. Having other
JunOS experience helps alot. I have some M series routers that I
manage, but not any SRXs...
FortiNet's documentation starts here.
http://docs.fortinet.com/fgt.html
They probably have the most complete WebGUI interface, you can do 99%
of what you need to totally within the GUI without going to the CLI.
The Admin guide isn't quite as detailed as others, but should at least
show you the concepts of what it is capable of. Deeper understanding
of all only comes after having used them for sometime and deploying
specific solutions.
Andrey Tarasov
> alexd <trof...@hotmail.com> writes:
>> I regularly see you recommend Juniper here. Could you suggest an
>> introductory guide to SSG that would make sense to someone who was familiar
>> with IOS, ASA and SonicOS?
>
> The SSG's are all EOL'd, replaced the SRX's, which are vastly
> different boxes. The SSG was just another version of the Netscreen products.
> The SRX is when they converted everything over to JunOSse.
That's not completely correct. SSG5, 20, 320M/350M/520M and 550M are
still being sold. Last four (M ones) can be also converted into J-series
routers and run JUNOS-ES, which would make them SRX-like.
Best way to approach SRX training (along with EX switches and J-series
routers) is to sign up for FastTrack program -
https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx
Regards,
Andrey.
RG
Thanks,
"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4b1fddca$0$33859$8046...@newsreader.iphouse.net...
Doug McIntyre
>Is $300 a lot to pay for new 50b?
No, that would be about best street price for the unbundled version
(ie. doesn't come with the IPS/AV/filtering update & maintenance subscriptions).
The 50B, unlike the PIX501 can push wirespeed in almost all cases
(maybe not so much if you turn on tons of webfilter regex's and the like).
RG
Thanks
"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4b1fca37$0$33860$8046...@newsreader.iphouse.net...
Doug McIntyre
>which version of netscreen would you say is comperable to 501?
The smallest/oldest Netscreen boxes would be a step up over the 501.
(granted, thats the smallest tiny Cisco PIX model as well).
The PIX line is fairly underpowered compared to everybody else. Cisco
rested on not improving it for sometime. The ASAs make up for it somewhat.
I don't know if you are asking about current models, or old ones you'd
find on eBay though?
I'd look for newer boxes compared to older boxes though. Unlike Cisco
which didn't really do much to make new models in the PIX line,
Netscreen cycled through 3-4 generations, and Juniper has done 2
hardware cycles beyond that.
If you are looking for old used hardware, something like a
Netscreen 5GT was quite a popular model. 75Mbps throughput, 20Mbps VPN.
And you'd expect to get 75Mbps throughput, unlike a PIX 501 with its
rated 60Mbps on a good day. Should be less than $100 used.
I see some pretty funny fantasy prices on eBay for old gear now-a-days though.
(yeah, lets see, we'll get new street price for hardware that is 10
years old, and EOL'd 5 years ago).
But as a I stated earlier, a Fortigate 50B would do linespeed filtering.
RG
no password. Would you know hardware resest it?
Thanks in advance
"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4b2177ca$0$47486$8046...@newsreader.iphouse.net...
Doug McIntyre
>So, I bought myself fortigate 50b from on ebay. Little did I know they have
>no password. Would you know hardware resest it?
To password recovery a Fortinet, console in (uses same pinout as
Cisco, Juniper, Sun, etc).
Login as 'maintainer'. Password of 'bcpb' followed by the full serial
# of the box, matching case (ie. FGT in upper case, and any hardware
rev letter)
And then to make sure the config is totally cleared out
execute factoryreset
from the CLI.
RG
I am at a loss.
This is what I have done...
1. I connected dc9pin to my computer and rj45 end to fortigate
2. Through termina session I got user name prompt
3. I entered maintainer for user name.
4. I entered bcpbFGT50B3G07518259 for password
5. The response was it didn't like the credentials.
Perhaps you can see a problem with a password or username.
"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4b70eb60$0$33859$8046...@newsreader.iphouse.net...
Doug McIntyre
>Thanks for your time.
>I am at a loss.
>This is what I have done...
>1. I connected dc9pin to my computer and rj45 end to fortigate
>2. Through termina session I got user name prompt
>3. I entered maintainer for user name.
>4. I entered bcpbFGT50B3G07518259 for password
>5. The response was it didn't like the credentials.
>Perhaps you can see a problem with a password or username.
That should do it.
There is a timelimit, maybe make sure to have the password in the
paste buffer ready to send in?
Otherwise, make sure you don't typo it, sometimes delete/backspace
messes up things even if the characters get rubbed out on the screen.
RG
in session and it worked for me. Thanks for the help.
"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4b7108b1$0$637$8046...@newsreader.iphouse.net...
RG
together than pix.
"Doug McIntyre" <mer...@geeks.org> wrote in message
news:4b1fddca$0$33859$8046...@newsreader.iphouse.net...
Doug McIntyre
>This fortigate is pretty impressive. It looks like it is much better put
>together than pix.
Yep, pretty nice overall I think.
I like that they support a huge range of features, the GUI is quite
usable on every desktop, only having to bop out to the CLI for a few
advanced things, they don't have licensing limitations (although you
have to subcribe to AV definition updates, but they are all like
that), and are rock solid. Code updates seem to be only for new
features and minor bug fixes than any security issues. They support
pretty much wirespeed for most setups.
I'm going through my list of managed boxes to find the longest uptime.
Hmm, I think the uptime counters roll after a time, but the system log
messages so only two reboots in 5 years on one of my oldest boxes.
RG
to send me?
Thanks in advance