Protect Your PIX

Keep your PIX firewall secure! In part 5 of our series of excerpts from the Cisco Press book, Cisco Secure Internet Security Solutions, you'll learn all about AAA authorization and why two DMZs are better than one.

 By Cisco Press
Page 1 of 5
Print Article

Cisco Secure Internet Security Solutions - Chapter 4
by Andrew Mason, Mark Newcomb

Cisco Secure PIX Firewall - Part 5
Cisco Secure Internet Security Solutions - click to go to publisher's site

Dual DMZ with AAA Authentication
This section introduces AAA authorization and creates two DMZs. This section focuses on the PIX configuration aspects of AAA. This section also introduces a failover PIX and access lists into this configuration.

Figure 4-8 shows how this network is configured. Notice that there are two PIX Firewalls, a primary and a failover. Should the primary PIX fail, the failover PIX takes over all of the duties of the primary PIX. You also have two DMZs, the public and the accounting DMZs. The accounting DMZ is used for clients on the Internet to access the accounting data for the services.

Figure 4-8: Dual DMZ Configuration

(Click image for larger view in a new window)

Although there is a failover cable that connects the serial ports on the firewalls, you also added a hub on the inside interfaces to allow connectivity between the firewalls and the interior router in order to save interfaces on the interior router. You did the same between the outside interfaces of the firewalls and the exterior router. Both PIX Firewalls must have connectivity to both DMZs for the failover PIX to operate correctly, should the primary fail.

This article was originally published on Oct 3, 2001
Get the Latest Scoop with Networking Update Newsletter