Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Firewall Config

Hi,

We hv a PIX 515E- firewall setup in active/failover mode.

Pls refer attached diagram.

We hv to use the proxy server which is placed in DMZ as gateway for Inside users browsing.

In other words all the internal users will be pointing to the DMZ proxy server for going to internet.

As shown in the diagram e also hv two 3750 switches configured in HSRP mode.

Pls assist with PIX config along with routes required for acheiving the task.

Our Internet is ADSL.

We hv single Public IP we want to PAT the entire LAN traffic on Single Public IP on Internet Router as shown in the diagram attached.

Regards

Deepak

2 REPLIES
New Member

Re: PIX Firewall Config

Pls refer attached PIX config and Internet Router config.

Internet Router internal network is private.

Proxy server placed in DMZ is statically natted to PIX firewall outside interface network.

I don't want inside network to go directly to ouside world.

Instead i want internal network to go to proxy server in DMZ and through DMZ to ouside world.

Natting of private to public IP is happening on the Internet router and not PIX firewall.

Pls suggest.....

Gold

Re: PIX Firewall Config

i did post my thought on the other section, and here it is:

pix by default will permit traffic from higher security level to lower security level. e.g. from inside to dmz. however, nat/global or static is required with v6.x.

add the command below:

static (inside,dmz) 172.17.37.5 172.17.37.5 netmask 255.255.255.224

i guess all three acls are applied for testing purposes only, as permitting ip any any is not a very good security practice.

assuming all you need is to permit the inside to dmz proxy server, from the proxy server to the internet, and no inbound traffic. then, no acl is required at all.

the reason being all these traffic flows from higher security level to lower security level; i.e. from inside to dmz, then from dmz to outside.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9b17c/2

137
Views
0
Helpful
2
Replies
CreatePlease login to create content