locked
consolidated edge with Cisco Pix RRS feed

  • Question

  • I'm deploying a consolidated edge scenario with OCS v1. Internal firewall is ISA2006, external is Cisco Pix.

    Edge server run 2 interfaces. Access and Conferencing are successfully published from the external NIC with NAT.

    I'm trying to add A/V edge. I found I cannot use the same external NIC, so I've added a 3rd NIC to the edge server.

    1. any experience in publishing A/V through a Cisco Pix???? Standard requirement is a public/routable IP.
    If I assign a public IP to a server in a DMZ what must I configure on the PIX? the outside interface owns an IP on the same subnet that I'm configuring on the Edge A/V server (the only public subnet I've).

    2. how should I configure the routing table in the Edge server? my public address are on the same subnet (both NATed and directly assigned).

    Any thought?

    I found Pix can run in 'transparent' mode which may or may not fit the requirement, but this is an appliance level mode incompatible with NAT. ... which means I've to use 2 Pix: 1 transparent mode for A/V, another with NAT for the rest of the company....


    Please tell me I don't have to buy a new firewall or move to R2 ... :)

    Thank you.

    -C

    Friday, March 6, 2009 5:32 PM

All replies

  • If the IP you are trying to use for AV is in the same subnet as the PIX public interface then you wont be able to connect it behind the PIX. You would have to put a switch between your internet router and public interface of the PIX and then plug the AV interface into the switch. This is abviously not recommended because the connection will be unsecure. The only other way to accomplish this is to have a routable public DMZ.


    Mark
    Monday, March 9, 2009 2:35 AM
  • What model PIX device do you have?  If you have more than two interfaces the best option is to configure pass-through on a dedicated interface and connect that to a dedicated A/V Edge NIC.  If it's a smaller SMB unit like a Pix 501 then you options are very limited unfortunately.

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, March 9, 2009 3:51 PM
    Moderator
  • Thanks Mark.
    Plug the A/V interface on internet is not an option for security measure here.
    I'm interested in your mentioned 'routable public DMZ'. I do have 1-2 extra interfaces available on my Pix. Can you give me any guidance on that?
    I do have standard DMZs with NAT and private IPs, but I've never done a DMZ with public IPs which currently belong to the outside interface.

    TIA

    -C
    Monday, March 9, 2009 5:34 PM
  • Thanks Jeff.
    do you have any details in how to implement pass-through on an interface?
    I do have 1-2 spare interface on my Pix, so I can dedicate one to A/V in this case. I just have to understand how.
    Do I have to have 2 different public subnets? I currently have only one, which is in use by the outside Pix interface and by the NATed IP of other services (SIP, webconf, exchange).

    Thank you for any additional clarification

    -C
    Monday, March 9, 2009 6:01 PM
  • Take a look at the third diagram under Supported Configurations in this article:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33

    You'll need to add an additional interface to your Edge server to host only the A/V Edge role and then configure that adapater with an IP address in a routable subnetwork, then connect it to one of the additional interfaces on the PIX device.  Take a look at the Cisso documentation on how to configure that adapter to simply route and not NAT the traffic on it.  You'll still want to have the firewall filtering all but the required A/V ports.

    Also take a look through the microsoft Perimeter networking whitepaper linked in that article as well.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, March 9, 2009 6:35 PM
    Moderator