I am setting up a Pix to replace our current firewall. We have two Class C networks that are used for servers and for DSL customers. These will be internal to the Pix. I see I can use NAT 0 to not translate those networks. To allow acces into the servers, do I only need to set up ACL's for the various services? I am a little confused as to the particulars of getting access into these networks.
PIX interfaces have security levels. these levels are determined by numbers in range 0-100. 100 is the most secure interface , it is inside. and 0 is least secure, that is outside. and DMZ interfaces are somewhere between 0 and 100. and there are two types of access in pix:
1) from higher security level to lower security level (inside to outside, dmz to outside)
by default pix permits these connections, you only have to configure a translation method. this can be static by command 'static' or dynamic with commands 'nat' and 'global'. or if you want to choose not to translate you can use nat 0.
2) from lower security level to higher security level (outside to inside, dmz to inside)
by default pix denies these types of connections. so you have to permit them. You can do this by access-list or conduit. and also you need translation too..
there is a very useful document below. hope this helps..
Nat 0 isn't going to allow connections to be initiated from the outside. You need a static translation for the destination (as well as a permit statement in the acl applied to the outside interface, specifying the destination public ip and port). Assuming that you want to keep public addresses on all the hosts on the inside of the pix (which wastes alot of public addresses, but saves you the work of re-addressing hundreds of hosts) you can do a "net static" for the inside subnets, "translating" them from the inside to the outside, BUT keeping the same ip addresses. Suppose one of your class c networks was 188.8.131.52:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...