Firewall Wizards mailing list archives
help...
From: "michael" <madams () humanfactors com>
Date: Mon, 17 Feb 2003 13:04:25 -0600
I have a problem which is actually supposed to be easy--at least according to the Cisco examples, but seems to be giving me fits. I just can't figure out where I'm going wrong. A particular company--being rather, shall we say, posessed of parsimonious pecuniary policies, will not update one of their old PIX firewalls beyond version 4.2. In itself, that's not really too much of an issue. It has three interfaces, and one of them is now to be designated as a DMZ. (This version--although old--of the IOS does indeed handle more than two interfaces) I have set it up according to examples on CCO, and interestingly enough it will work just fine when passing traffic from the outside interface to the DMZ interface. The DMZ is configured for NAT. However, the one thing that has me stumped is why I cannot get it to--through either statics or conduits--communicate with an interface which is of "higher" security level. According to everything I know (which admittedly is not omnicient) this can be done even though by default a "lower" security level interface does not communicate with a "higher" level unless exceptions are made. There are examples on CCO. But it doesn't so far work. I can ping a host on the DMZ, but the host is not actually responding--the PIX does because of a static mapping... Any advice that would be helpful in creating an exception that would allow traffic initiated from the inside interface to the DMZ interface to actually work? Thanks! Michael _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- help... michael (Feb 17)
- Re: help... Luca Berra (Feb 18)
- <Possible follow-ups>
- RE: help... Claussen, Ken (Feb 19)