Incident response
Intrusion management
Network security
I?m looking for firewall solution for my network. Right now we have a router that was provided by IPS then a firewall (3com office connect) after firewall is the main router (cisco 2600) that is our gateway and DHCP. Our network is made of several subnet. All (about 90) workstations are XP Pro, with windows 2000server as domain controller and several other servers (2000servers and AIX server). Because of 3 subnets, I can not use NAT in firewall and I don?t know if there is a way to get DHCP table of Cisco router. So all traffic thru firewall shows up as one IP in firewall reports. I would like to have reports on web usages. I `m not for policing users, but there are some employees that abuse the web usages. I have no way of proving single user abuse, since all workstation show up as on IP (that is the cisco router). I have different group of users. All user have to have email, some have unfiltered access to web, some limited usage thru domain policy enforcement (that is not perfect, since every once awhile I find out for some reason policy is not applied and have to reset limit IE policy on each workstation.). I looking for a method that can reports based on users. My budget is limited to less than $1000. Thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

For your budget, you’re best off building a custom BSD or Linux platform firewall. The cheapest Sonicwall appliance that would work would be about $1200 for the Sonicwall 1260.

I’m not sure why you say that you cannot nat 3 subnets into one address. Cisco routers can run DHCP, but, if you’re running a Windows domain, you should service DHCP from the domain.

Most organization would setup the network similar to the following diagram:
I-net—Router—–Firewall—-switch—-Inside Network.

Your web server would be in the DMZ directly off of either a screened subnet (2 firewalls with a DMZ in the middle) or directly off an interface in the firewall. That could be NATted if you wanted it to be. Your internal network would connect to another interface on the firewall or to the second firewalls inside interface. There in the inside network would be your three subnets with computer connected to them. You would then have the option of natting each subnet to a different range or different IP on the outside of the firewall or could nat everything to the same range or IP on the outside. You would also do your natting on the firewall itself, not the router. If you nat on the router, everything will be converted to the inside address of the router and logged as such, bringing up the problem you presented.

Hope this helps,

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Owenmpk
    I have been very happy with the Cisco PIX 501 (but not used with so many users so check Cisco specs.) you can get it with an unlimited connection license for ~$600. Then purchase Cisco support for ~$200 for 3 years. The support is worth it bacause they can come in and configure for you and you learn as they configure.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: