Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
2
Replies

PIX Firewall Config

fmatrine
Level 1
Level 1

‎11-07-2005 09:21 PM - edited ‎02-21-2020 12:30 AM

Hi,

We hv a PIX 515E- firewall setup in active/failover mode.

Pls refer attached diagram.

We hv to use the proxy server which is placed in DMZ as gateway for Inside users browsing.

In other words all the internal users will be pointing to the DMZ proxy server for going to internet.

As shown in the diagram e also hv two 3750 switches configured in HSRP mode.

Pls assist with PIX config along with routes required for acheiving the task.

Our Internet is ADSL.

We hv single Public IP we want to PAT the entire LAN traffic on Single Public IP on Internet Router as shown in the diagram attached.

Regards

Deepak

Preview file
509 KB
0 Helpful
2 Replies 2

fmatrine
Level 1
Level 1

‎11-08-2005 09:34 PM

Pls refer attached PIX config and Internet Router config.

Internet Router internal network is private.

Proxy server placed in DMZ is statically natted to PIX firewall outside interface network.

I don't want inside network to go directly to ouside world.

Instead i want internal network to go to proxy server in DMZ and through DMZ to ouside world.

Natting of private to public IP is happening on the Internet router and not PIX firewall.

Pls suggest.....

Preview file
4 KB
0 Helpful

jackko
Level 7
Level 7
In response to fmatrine

‎11-09-2005 06:03 PM

i did post my thought on the other section, and here it is:

pix by default will permit traffic from higher security level to lower security level. e.g. from inside to dmz. however, nat/global or static is required with v6.x.

add the command below:

static (inside,dmz) 172.17.37.5 172.17.37.5 netmask 255.255.255.224

i guess all three acls are applied for testing purposes only, as permitting ip any any is not a very good security practice.

assuming all you need is to permit the inside to dmz proxy server, from the proxy server to the internet, and no inbound traffic. then, no acl is required at all.

the reason being all these traffic flows from higher security level to lower security level; i.e. from inside to dmz, then from dmz to outside.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9b17c/2

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card