Cisco Support Community
Community Member

Proxy auth

I am setting up a pix failover bundle to protect our internal LAN from an external company. This company will be providing us with services and will need access to 3 servers and 3 ports. I intend to open these up on the outside int of the 515e fw. I have the option to allow them to connect to our internal LAN server IP's, or I could NAT these address's to hide our internal LAN IP's. I dont see to much benefit of changing the dest address's apart from hiding the real address's. Whats best here - should I NAT the address's or should I allow them to connect to the real address's on our internal LAN?

I also wish to use the auth-proxy feature and apply this to the outside interface of the PIX. Normally to allow connections to servers, I would need to open up ports with an acl, but will this still be required if I use auth proxy feature on the outside int. If I leave the outside int blocked for all traffic but user logs on with the auth-proxy feature and downloads there own attributes - will this open up the fw for this user for access to the servers, or do I need to apply an inbound acl to the outside int aswell.



Re: Proxy auth

I think it would be a better option to put the 3 servers which would have to be accessed from outside in the DMZ. The PIX 515e has support for the DMZ. This way you would not compromise on the security of your Internal LAN and also could provide for access to the servers from the outside. Otherwise NAT is a good option. It is not advisable to allow outside users to access the Internal resources without any form of security.

You will have to configure the conduits on the outside for allowing incoming traffic into the PIX even if authproxy is configured.

Community Member

Re: Proxy auth

Hi Oscar

Thanks for your answer ..... The servers are on the internal LAN and I cant shift them to the dmz, so I will allow access from outside to inside with conduits and also configure NAT

THanks for your reply

CreatePlease to create content