ACLs and VLANs on a PIX 535

Unanswered Question
Jan 30th, 2009
User Badges:


<br />I'm trying to configure a VLAN on my PIX 535 and applying ACLs that will allow me to restrict anyone on that VLAN to the Internet only and our web servers in the DMZ.

<br />I'm not a security expert, so I don't know the best way to set this up.

<br />The physical connection for the VLAN (coming in from our core switches, Catalyst 6503E) is the same physical connection as the inside (gb-int0) interface.

<br />Could someone please give me an idea of what translation rules and configuration commands I should be using to create the VLAN properly and then have it routing properly and then applying ACLs to block access to the internal network (with maybe the exception of DNS) and DMZ with the exception of the web servers?

<br /><br />Thanks,

<br /><br /> -Josh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pstebner10 Fri, 01/30/2009 - 09:47
User Badges:


Let's say that the vlan in question is vlan 10. So you've got, for example,

interface ethernet2.10

vlan 10

nameif restricted (or whatever you want to call it)

security-level 50 (or whatever)


global (outside) 1 interface

nat (restricted) 0 access-list RESTRICTED_NONAT

nat (restricted) 1

The nat 1 statement allows vlan 10 to get PATed at the outside interface, thus allowing internet access, and the nat 0 allows access to whatever is defined in the access-list RESTRICTED_NONAT

So, if you want to allow access to a web server who's address is on port 80 in your DMZ you could use

access-list RESTRICTED_NONAT extended permit tcp host eq 80

You can add more lines to the acl for each additional web server.



pstebner10 Fri, 01/30/2009 - 09:52
User Badges:

edit: this is assuming that you do not have any specific access-lists applied to you dmz for internal traffic. If you do, you will need to allow access from your restricted vlan.

jnudell Tue, 02/03/2009 - 08:52
User Badges:

Hi Paul,

Thanks for the response. It seems these commands are not valid for my PIX 535 version (6.3(5)).

What version of PIX will these commands work on?


pstebner10 Tue, 02/03/2009 - 09:05
User Badges:


This will work on v7.x or 8.x. The only commands there that won't work on 6 are the interface statements. The access lists and nat/global commands are the same.




This Discussion