Firewall Wizards mailing list archives
RE: PIX 520 - control traffic between DMZ and inside devices
From: Eye Am <eyeam () optonline net>
Date: Mon, 30 Dec 2002 17:38:30 -0500
Well, I'd like to thank everyone here for their guidance and input. We managed to get everything configured to do what we want. One change that occurred was that we need unlimited access for traffic initiated on the inside interface destined for the DMZ (Access shares etc.) BUT we need to limit access for traffic initiated in the DMZ to only certain machines/ports on the inside (ie. a website accessing an MSSQL server.) Here's what we did: PIX config access-list 110 permit ip my.PRIVATE.net.0 255.255.255.0 my.DMZ.net.0 255.255.255.0 nat (inside) 0 access-list 110 # Allows unlimited traffic originated in PRIVATE destined for DMZ access-list dmz_in permit ip my.DMZ.net.0 255.255.255.0 host my.PRIVATE.net.22 # Inside DNS Server access-list dmz_in permit tcp host my.DMZ.net.37 host my.PRIVATE.net.9 eq 1433 access-list dmz_in permit tcp host my.DMZ.net.61 host my.PRIVATE.net.9 eq 1433 access-list dmz_in permit tcp host my.DMZ.net.60 host my.PRIVATE.net.9 eq 1433 # DMZ device to inside MSSQL server access-list dmz_in permit icmp any any # Permit PING access-group dmz_in in interface DMZ ## Controls traffic initiated by DMZ devices destined for inside static (inside,DMZ) my.PRIVATE.net.0 my.PRIVATE.net.0 netmask 255.255.255.0 0 0 # Static mapping for entire PRIVATE Class C to DMZ (This was the part I never saw before - static mapping of the same address space in two interfaces. Loosely equated to Global and NAT I beleive. MSM Config conf t no access-list 101 access-list 101 permit ip my.PRIVATE.net.0 255.255.255.255 my.DMZ.net.0 255.255.255.255 route-map testdmz permit 10 match ip address 101 set ip next-hop my.PRIVATE.net.15 interface Vlan100 ip policy route-map testdmz # Created gateway for traffic originating on the inside interface destined for the DMZ, in addition to the normal inside default gateway that sends traffic to the outside (Internet) from inside to DMZ. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 16)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 16)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- Re: PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- Re: PIX 520 - control traffic between DMZ and inside devices Luca Berra (Dec 22)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 16)
- <Possible follow-ups>
- Re: PIX 520 - control traffic between DMZ and inside devices Miha Vitorovic (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 30)