11-07-2005 09:38 PM
Hi,
We hv a PIX 515E- firewall setup in active/failover mode.
Pls refer attached diagram.
We hv to use the proxy server which is placed in DMZ as gateway for Inside users browsing.
In other words all the internal users will be pointing to the DMZ proxy server for going to internet.
As shown in the diagram e also hv two 3750 switches configured in HSRP mode.
Our Internet is ADSL.
We hv single Public IP we want to PAT the entire LAN traffic on Single Public IP on Internet Router as shown in the diagram attached.
Pls assist with PIX config along with routes required for acheiving the task.
Regards
Deepak
11-08-2005 07:41 AM
Hi Deepak,
You can create a pat on pix using single public IP
global (outside) 2
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
Let me know if any clarifications.
Thanks
Brahmam.
11-08-2005 09:27 PM
Hi Brahmam,
Pls refer attached PIX config and Internet Router config.
Internet Router internal network is private.
Proxy server placed in DMZ is statically natted to PIX firewall outside interface network.
I don't want inside network to go directly to ouside world.
Instead i want internal network to go to proxy server in DMZ and through DMZ to ouside world.
Natting of private to public IP is happening on the Internet router and not PIX firewall.
Pls suggest.....
11-09-2005 03:26 AM
pix by default will permit traffic from higher security level to lower security level. e.g. from inside to dmz. however, nat/global or static is required with v6.x.
add the command below:
static (inside,dmz) 172.17.37.5 172.17.37.5 netmask 255.255.255.224
i guess all three acls are applied for testing purposes only, as permitting ip any any is not a very good security practice.
assuming all you need is to permit the inside to dmz proxy server, from the proxy server to the internet, and no inbound traffic. then, no acl is required at all.
the reason being all these traffic flows from higher security level to lower security level; i.e. from inside to dmz, then from dmz to outside.
11-09-2005 04:54 AM
Hi Brahmam,
Thanx,
Also
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 192.168.22.11 172.17.37.181 netmask 255.255.255.255 0 0
static (inside,dmz) 172.17.37.5 172.17.37.5 netmask 255.255.255.224
route outside 0.0.0.0 internet router internal IP
route inside ...... appropriate routes
routes in internet router for DMZ network.
Pls suggest if i am OK with the config.
internal users will hit the DMZ proxy server enroute to internet.
Natting will happen on internet router.
Regards
Deepak
11-11-2005 04:29 AM
Deepak
As per your pix config, you used same class of IP address for both inside and DMZ.... try to chage DMZ IP .. since the nature of pix is to translate the ip's on interfaces...this should solve your problem.
Cheers
Brahmam
11-11-2005 04:32 AM
Hi
I dont find access-list commands at your PIX...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide