Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Questions on accessing Internal network from DMZ through PIX

I have installed a PIX 515. I have a web server on my DMZ that contains our web site and Intranet for Internal users. I would like to set up a web page on our web site that accesses files on our Internal network. How would I go about doing this and what would the security consequenses be for allowing this? I am using Windows 2000 with AD on my Internal network and I am using NAT on the PIX.

3 REPLIES
Community Member

Re: Questions on accessing Internal network from DMZ through PIX

First, I'm assuming that the inside users can currently reach the DMZ web server. What I would do is establish a static translation and point the web server to that static. Next, you simply define an access-list to allow the desired traffic. Then, you apply the access-list to the DMZ interface. Keep in mind that this is for packets inbound to the interface.

As a test method, I would first create the static and then allow all traffic through to make sure that the static is working properly. Then I would apply the filtering desired, and make sure that the traffic can still get through (you may have to issue a "clear xlate" command.)

As far as security, there will always be a tradeoff between security and functionality. The best approach is to layer the security (security at the Internet demarcation, firewall security, etc.)

Hope this helps.

Community Member

Re: Questions on accessing Internal network from DMZ through PIX

Jenn,

I would use the VPN conncentrator to accomplish this. Not opening holes in the firewall.

Community Member

Re: Questions on accessing Internal network from DMZ through PIX

Jennifer,

Would the file access be from an outside connection or would it be a redirect to an internal host from the Intranet site? Where is the client that is needing access to files connecting from? (i.e. outside or inside interface).

My feeling is that if you need to give access to users on the outside of your firewall to files on the inside of your network then you should be using some type of encryption to accomplish this. If it's a connection to a vpn concentrator or a VPN tunnel through your PIX, either one should be able to accomplish this without major concerns in regards to your security policy.

One other question is what type of file access are we talking about? Is it windows sharing or some other type of access? (i.e. FTP or NFS).

Hope this is helpful...

Jason Parrish

jparrish@rightsys.com

276
Views
0
Helpful
3
Replies
CreatePlease to create content