Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Questions on accessing Internal network from DMZ through PIX

Unanswered Question
Apr 30th, 2002
User Badges:

I have installed a PIX 515. I have a web server on my DMZ that contains our web site and Intranet for Internal users. I would like to set up a web page on our web site that accesses files on our Internal network. How would I go about doing this and what would the security consequenses be for allowing this? I am using Windows 2000 with AD on my Internal network and I am using NAT on the PIX.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mklaphek Wed, 05/01/2002 - 06:09
User Badges:

First, I'm assuming that the inside users can currently reach the DMZ web server. What I would do is establish a static translation and point the web server to that static. Next, you simply define an access-list to allow the desired traffic. Then, you apply the access-list to the DMZ interface. Keep in mind that this is for packets inbound to the interface.

As a test method, I would first create the static and then allow all traffic through to make sure that the static is working properly. Then I would apply the filtering desired, and make sure that the traffic can still get through (you may have to issue a "clear xlate" command.)

As far as security, there will always be a tradeoff between security and functionality. The best approach is to layer the security (security at the Internet demarcation, firewall security, etc.)

Hope this helps.

JOHN NIKOLATOS Wed, 05/01/2002 - 17:35
User Badges:
  • Bronze, 100 points or more


I would use the VPN conncentrator to accomplish this. Not opening holes in the firewall.

jparrishrsi Wed, 05/01/2002 - 23:54
User Badges:


Would the file access be from an outside connection or would it be a redirect to an internal host from the Intranet site? Where is the client that is needing access to files connecting from? (i.e. outside or inside interface).

My feeling is that if you need to give access to users on the outside of your firewall to files on the inside of your network then you should be using some type of encryption to accomplish this. If it's a connection to a vpn concentrator or a VPN tunnel through your PIX, either one should be able to accomplish this without major concerns in regards to your security policy.

One other question is what type of file access are we talking about? Is it windows sharing or some other type of access? (i.e. FTP or NFS).

Hope this is helpful...

Jason Parrish



This Discussion