04-30-2002 09:36 AM - edited 02-20-2020 10:02 PM
I have installed a PIX 515. I have a web server on my DMZ that contains our web site and Intranet for Internal users. I would like to set up a web page on our web site that accesses files on our Internal network. How would I go about doing this and what would the security consequenses be for allowing this? I am using Windows 2000 with AD on my Internal network and I am using NAT on the PIX.
05-01-2002 06:09 AM
First, I'm assuming that the inside users can currently reach the DMZ web server. What I would do is establish a static translation and point the web server to that static. Next, you simply define an access-list to allow the desired traffic. Then, you apply the access-list to the DMZ interface. Keep in mind that this is for packets inbound to the interface.
As a test method, I would first create the static and then allow all traffic through to make sure that the static is working properly. Then I would apply the filtering desired, and make sure that the traffic can still get through (you may have to issue a "clear xlate" command.)
As far as security, there will always be a tradeoff between security and functionality. The best approach is to layer the security (security at the Internet demarcation, firewall security, etc.)
Hope this helps.
05-01-2002 05:35 PM
Jenn,
I would use the VPN conncentrator to accomplish this. Not opening holes in the firewall.
05-01-2002 11:54 PM
Jennifer,
Would the file access be from an outside connection or would it be a redirect to an internal host from the Intranet site? Where is the client that is needing access to files connecting from? (i.e. outside or inside interface).
My feeling is that if you need to give access to users on the outside of your firewall to files on the inside of your network then you should be using some type of encryption to accomplish this. If it's a connection to a vpn concentrator or a VPN tunnel through your PIX, either one should be able to accomplish this without major concerns in regards to your security policy.
One other question is what type of file access are we talking about? Is it windows sharing or some other type of access? (i.e. FTP or NFS).
Hope this is helpful...
Jason Parrish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: