|
Home > Archive > CCNP > June 2002 > pix firewall dmz configuration
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
pix firewall dmz configuration
|
|
| haseeb_eng 2002-06-23, 6:59 am |
| pix with 3 interfaces . 1st for outside(real IPs) . 2nd for inside(fake IPs) . 3rd for DMZ . In DMZ there will be only 1 server which will work as dns,mail,web etc... and i want to put the real IP address for that server(from the range of the same real IP addresses which will be used for outside interface ) .
If i put the same real IP on pix dmz interface there will be conflict or any other problem between the interfaces or not ? If yes then what could be the solution ? If any one of you can give me the configuration of the same scenario then it will be very helpful for me to slove the problem
I don't have with me the pix at the moment so i would have tried it by myself i have to go to the client side & i don't wana do any practice on that so if you will give me the same scenarion configuration it will be quiet helpful for me . | |
| subnet__zero 2002-06-23, 11:05 am |
| Based on what I'm gathering from you, because you reference a "range" of "real" addresses, I'm assuming that you're doing real NATing and not PATing. If this is true there are a couple of ways to do what your asking.
One way is to use the NAT 0 command, if your security policy allows it. This allows outside to inside (DMZ) access. (interface’s are always outside with respect to another interface, if it has a lower security level.) With this you use a registered IP to be accessible to the outside. In your case you would taking the address of your bastion (http,dns, mail, etc) server and putting one of your registered IP's on it and not allow it to be translated. For example purposes without using anyone's real address, here's how to do NAT 0 :
pixfirewall (config)#conduit permit tcp host 192.168.1.9 eq www any
pixfirewall (config)#nat (DMZ) 0 192.168.1.9 255.255.255.0
This means that 192.168.1.9 won't be translated and this IP would be the address used for access to the server in the DMZ, your pix security remains. If you did a "show nat", you would see that this address is not translated.
The 2nd way is :
pixfirewall (config)#nameif ethernet0 outside sec0
pixfirewall (config)#nameif ethernet1 inside sec100
pixfirewall (config) nameif ethernet2 dmz sec50
pixfirewall (config)# interface ethernet0 auto
pixfirewall (config)# interface ethernet1 auto
pixfirewall (config)# interface ethernet2 auto
pixfirewall (config)#ip address outside 192.168.0.2 255.255.255.0
pixfirewall (config)#ip address inside 10.0.0.1 255.255.255.0
pixfirewall (config)#ip address dmz 172.16.0.1 255.255.255.0
pixfirewall (config)#nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall (config)#global (outside) 1 192.168.0.15-192.168.0.254 netmask 255.255.255.0
pixfirewall (config)#global (dmz) 1 172.16.0.10-172.16.0.254 netmask 255.255.255.0
pixfirewall (config)#static (dmz, outside) 192.168.0.11 172.16.0.2
pixfirewall (config)#conduit permit tcp host 192.168.0.11 eq http any
With this users on the inside are able access the outside and the DMZ. Outside users can HTTP the DMZ server at 172.16.0.2 because of the static mapping.
A 3rd and easier way for you, if you’re not familiar with PIX commands, is to use the PDM (pix device manager) which is an easy to use GUI that for your purposes would work great. To get an idea about using PDM, check out http://www.cisco.com/warp/public/78...techtips.html#3
HTH |
|
|
|
|