|
Posted by Walter Roberson on March 13, 2006, 7:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Being the paranoid IT person I am (i.e. understanding how easy it is to
>rip down the security in wireless encryption) I want to create an
>additional network we'll call this "insecure" and give this access to
>the internet via my Cisco PIX 501. However I do not want this network
>to have access to my wired LAN we'll call this "secure".
Your diagram shows both networks as being on the same side of
the PIX 501. In that situation, you cannot prevent the two
networks from communicating, not unless you can put restrictions
on the gateway between them (the netgear in your case.)
>I am using a Netgear router for my wireless access and so far I have
>done the following:
> ----------- -----------
> | www | - | pix 501 | -----|
> ----------- ------------ |- 192.168.10.0 (Secure LAN)
> |
> |- 172.30.10.0 (Insecure LAN)
>
> -------------
> | Netgear | WAN - 192.168.10.3 (Insecure LAN)
> ------------- LAN - 172.16.30.1
I gather that 'www' represents the Internet in the diagram.
If someone in the wireless LAN addresses a packet to 192.168.10.*
then the Netgear is going to see that network in its routing table,
and will ARP on the outside interface for the target address.
That ARP *will* get through to the target IP: although you have
the Netgear plugged in to the 501, the four LAN ports on the 501
act as a switch, especially as it is the same subnet being requested.
But in your configuration, you cannot use different subnets for the
two LANs, because although you can add a 'route inside' on the PIX
for the second subnet, the PIX needs to be able to ARP the
destination, and the ARP would not be listened to by the Netgear
if the Netgear is in a different subnet. You could -try- setting
the next-hop address to be the interface itself: the ARP might then
go out "raw" onto the switchports, and the Netgear -might-
pay attention to it (depends on the IP stack.)
It is not possible to configure the PIX 501 to filter packets
between the four switch ports.
Does your Netgear router happen to be one of the ones that is Linux
based?
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map