[fw-wiz] PIX 520 - control traffic between DMZ and inside devices
From: Eye Am (eyeam@optonline.net)
Date: 12/16/02
- Next message: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Previous message: Daniel Linder: "Re: [fw-wiz] Stats on how common NAT is?"
- Next in thread: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Reply: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Maybe reply: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eye Am" <eyeam@optonline.net> To: <firewall-wizards@honor.icsalabs.com> Date: Mon Dec 16 17:40:18 2002
Being confused right now, I'll try to word this as un-confusing as possible.
Scenario as follows
The pic at http://security.kicks-ass.org:911/DMZ_CONFIG.gif is the basic
network configuration I need and will be needed to make any sense out of the
following.
PIX 520, Three interfaces - inside, Outside and DMZ.
Webserver (Win2kServer) in DMZ.
6509 Switch with MSM (routing)
Traffic successfully limited to ports 80 and 443 between Outside and DMZ in
the PIX using NAT/Access-list/Group
Default gateway for the all DMZ devices is the PIX int E2 "DMZ"
Default gateway for all inside devices is my.PRV.net.14 "6509MSM"
I can successfully ping any DMZ device from the 6509 MSM si it knows how to
get to DMZ and back.
I cannot ping any inside devices from the PIX "DMZ" interface
I cannot ping any DMZ devices from any devices on the inside
Hers's my quandry: The webserver also needs to be limited to port 1433, TCP
and UDP, to a specific MSSQL server on the inside and all traffic may flow
on all ports to another computer on the inside. How do I control traffic
between DMZ and inside devices?
Is this do-able within the PIX or do I need to use MSM (or combination) to
complete this piece?
I've been tearing my hair out trying to get this to happen in the PIX to no
avail.
Seems no matter what combination of access-lists/groups I install there is
no limit to traffic flowing between DMZ and inside.
TYVM
Chuck Genrich
- Next message: Adam Shostack: "Re: [fw-wiz] recent disclosure debates"
- Previous message: Daniel Linder: "Re: [fw-wiz] Stats on how common NAT is?"
- Next in thread: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Reply: Brian A Kee: "RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Maybe reply: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
