The dmz2 interface: 10.2.1.1 with a static global address of 10.2.1.7 for the Telnet server on the inside and a pool of global addresses of 10.2.1.10-10.2.1.254. The dmz1 interface: 10.1.1.1 with static global addresses of 10.1.1.6 for the web server on dmz2 and 10.1.1.7 for the Telnet server on the inside. A PAT (Port Address Translation) global is provided at 204.31.17.9. The outside interface: 204.31.17.1 with static global addresses of 204.31.17.5 for the mail server on dmz1, 204.31.17.6 for the web server on dmz2, and 204.31.17.7 for the Telnet server on the inside. The addresses used in this configuration are as follows: Once you sketch out your network and map these steps to your IP addresses and servers, the four interface configuration can become a simpler task. To let users from the inside interface start connections, use:Īll configuration statements are explained in greater detail in. The nat command lets users start connections from the specified interface to all lower security interfaces, the global command permits access to translated connections from any higher security level interface. You associate the nat and global commands together with the NAT ID, which in this example configuration is 1. Step 1 Letting higher security level interface users access a lower security level interface has two components: you use the nat command to specify from where users start connections, and you use the global command to specify to where access is permitted. To let users on each higher security level interface access servers on each lower security level interface, follow these steps: The sections that follow provide more information on these guidelines. The conduit command identifies the port or ports through which access is permitted. The static command lets users access specifically identified hosts on a single interface. As seen in, the dmz1 interface has a security level of 40 and the inside interface has a security level of 100. Lower to higher-To let users on a lower security level interface access hosts on a higher security interface, use the static and conduit commands for example, to let users on the dmz1 interface access the Telnet server on the inside interface. 
The global command identifies the interface through which the nat access is permitted. The nat command lets users access all hosts on all lower security level interfaces. As seen in, the inside interface has a security level of 100 and the dmz2 interface has a security level of 60.
Higher to lower-To let users on a higher security level interface access hosts on a lower security interface, use the nat and global commands for example, to let users on the inside interface access the web server on the dmz2 interface.The most important guidelines to remember are:
If you use Inter-NIC registered IP addresses, only use those addresses that you own.įigure 4-1 Two Interface Configuration without NATĬonfiguring PIX Firewall for four interfaces requires more attention to detail than other configurations. All external hosts are blocked from initiating connections or sessions on inside hosts. Syslog is enabled to facilitate troubleshooting. The configuration in illustrates this scenario. When you first add a PIX Firewall to an existing network, it is easiest to implement its use if you do not have to renumber all the inside and outside IP addresses.
Two Interface Multiple Server Configuration. Basic Two Interface Configuration with NAT. Basic Two Interface Configuration without NAT. If you are starting a configuration, you may want to use the forms provided in Appendix A, " " to help you plan a configuration.Īcronyms in the text are defined in Appendix B, ". Further information about the commands in the configurations can be found in Chapter 5, ". This chapter provides network diagrams and the configuration instructions to create them. Lower Security Level to Higher Security Level Accessīefore using this chapter, be sure that you have planned your site's security policy, as described in Chapter 1, " ," and configured the PIX Firewall, as described in Chapter 2, ". Higher Security Level to Lower Security Level Access Two Interface Multiple Server Configuration Basic Two Interface Configuration without NATīasic Two Interface Configuration with NAT
0 kommentar(er)
