Firewall Wizards mailing list archives
RE: PIX 520 - control traffic between DMZ and inside devices
From: "Brian A Kee" <bkee () lurhq com>
Date: Mon, 16 Dec 2002 06:53:24 -0500
Remember that with the PIX you must take account for the security level of the interface. If you are going from a lower security level to a higher level, you will need a NAT rule and an ACL (conduit). In this case you could probably use NAT 0(zero). This will allow trafic to traverse the PIX from the DMZ to the Inside. Keep in mind you will still need ACLs (conduits) to allow the specified traffic. Assuming you have the Server Statically mapped to an external Address: static (dmz,outside) <LocalIP> <GlobalIP> netmask <Mask> you should be able to configure a nat 0 (zero) rule like: nat (dmz) 0 <LocalIP> <Mask> The staqtic shouls translate all requests from the outside world, while the Nat 0 (zero) rule should grab all request originating from within the Internal Network. There should be several other ways to do this. BAK -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Eye Am Sent: Monday, December 16, 2002 12:14 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices Being confused right now, I'll try to word this as un-confusing as possible. Scenario as follows The pic at http://security.kicks-ass.org:911/DMZ_CONFIG.gif is the basic network configuration I need and will be needed to make any sense out of the following. PIX 520, Three interfaces - inside, Outside and DMZ. Webserver (Win2kServer) in DMZ. 6509 Switch with MSM (routing) Traffic successfully limited to ports 80 and 443 between Outside and DMZ in the PIX using NAT/Access-list/Group Default gateway for the all DMZ devices is the PIX int E2 "DMZ" Default gateway for all inside devices is my.PRV.net.14 "6509MSM" I can successfully ping any DMZ device from the 6509 MSM si it knows how to get to DMZ and back. I cannot ping any inside devices from the PIX "DMZ" interface I cannot ping any DMZ devices from any devices on the inside Hers's my quandry: The webserver also needs to be limited to port 1433, TCP and UDP, to a specific MSSQL server on the inside and all traffic may flow on all ports to another computer on the inside. How do I control traffic between DMZ and inside devices? Is this do-able within the PIX or do I need to use MSM (or combination) to complete this piece? I've been tearing my hair out trying to get this to happen in the PIX to no avail. Seems no matter what combination of access-lists/groups I install there is no limit to traffic flowing between DMZ and inside. TYVM Chuck Genrich _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 16)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 16)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- Re: PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- Re: PIX 520 - control traffic between DMZ and inside devices Luca Berra (Dec 22)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Brian A Kee (Dec 16)
- <Possible follow-ups>
- Re: PIX 520 - control traffic between DMZ and inside devices Miha Vitorovic (Dec 17)
- RE: PIX 520 - control traffic between DMZ and inside devices Eye Am (Dec 30)