I am setting up a pix failover bundle to protect our internal LAN from an external company. This company will be providing us with services and will need access to 3 servers and 3 ports. I intend to open these up on the outside int of the 515e fw. I have the option to allow them to connect to our internal LAN server IP's, or I could NAT these address's to hide our internal LAN IP's. I dont see to much benefit of changing the dest address's apart from hiding the real address's. Whats best here - should I NAT the address's or should I allow them to connect to the real address's on our internal LAN?
I also wish to use the auth-proxy feature and apply this to the outside interface of the PIX. Normally to allow connections to servers, I would need to open up ports with an acl, but will this still be required if I use auth proxy feature on the outside int. If I leave the outside int blocked for all traffic but user logs on with the auth-proxy feature and downloads there own attributes - will this open up the fw for this user for access to the servers, or do I need to apply an inbound acl to the outside int aswell.
I think it would be a better option to put the 3 servers which would have to be accessed from outside in the DMZ. The PIX 515e has support for the DMZ. This way you would not compromise on the security of your Internal LAN and also could provide for access to the servers from the outside. Otherwise NAT is a good option. It is not advisable to allow outside users to access the Internal resources without any form of security.
You will have to configure the conduits on the outside for allowing incoming traffic into the PIX even if authproxy is configured.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...