01-30-2009 08:52 AM - edited 03-11-2019 07:44 AM
Hello,
<br />I'm trying to configure a VLAN on my PIX 535 and applying ACLs that will allow me to restrict anyone on that VLAN to the Internet only and our web servers in the DMZ.
<br />I'm not a security expert, so I don't know the best way to set this up.
<br />The physical connection for the VLAN (coming in from our core switches, Catalyst 6503E) is the same physical connection as the inside (gb-int0) interface.
<br />Could someone please give me an idea of what translation rules and configuration commands I should be using to create the VLAN properly and then have it routing properly and then applying ACLs to block access to the internal network (with maybe the exception of DNS) and DMZ with the exception of the web servers?
<br /><br />Thanks,
<br /><br /> -Josh
01-30-2009 09:47 AM
Josh-
Let's say that the vlan in question is vlan 10. So you've got, for example,
interface ethernet2.10
vlan 10
nameif restricted (or whatever you want to call it)
security-level 50 (or whatever)
ip-address 10.0.0.1 255.255.255.0
global (outside) 1 interface
nat (restricted) 0 access-list RESTRICTED_NONAT
nat (restricted) 1 10.0.0.0 255.255.255.0
The nat 1 statement allows vlan 10 to get PATed at the outside interface, thus allowing internet access, and the nat 0 allows access to whatever is defined in the access-list RESTRICTED_NONAT
So, if you want to allow access to a web server who's address is 10.0.100.50 on port 80 in your DMZ you could use
access-list RESTRICTED_NONAT extended permit tcp 10.0.0.0 255.255.255.0 host 10.0.100.50 eq 80
You can add more lines to the acl for each additional web server.
HTH,
Paul
01-30-2009 09:52 AM
edit: this is assuming that you do not have any specific access-lists applied to you dmz for internal traffic. If you do, you will need to allow access from your restricted vlan.
02-03-2009 08:52 AM
Hi Paul,
Thanks for the response. It seems these commands are not valid for my PIX 535 version (6.3(5)).
What version of PIX will these commands work on?
-Josh
02-03-2009 09:05 AM
Josh-
This will work on v7.x or 8.x. The only commands there that won't work on 6 are the interface statements. The access lists and nat/global commands are the same.
HTH,
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: