Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices
From: Luca Berra (bluca@comedia.it)
Date: 12/22/02
- Next message: Kevin Steves: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Previous message: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- In reply to: Eye Am: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Next in thread: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Luca Berra <bluca@comedia.it> To: Eye Am <eyeam@optonline.net> Date: Sun Dec 22 07:51:00 2002
Eye Am wrote:
> Thanks Brian!
>
> We did use NAT, static xlate from DMZ to inside, and access-lists to limit
> port/machine access from DMZ to inside. Cisco finally helped me figure out
> why I was confused and why it wasn't working as desired. Interestingly they
> had me create static xlates very different than any of the "rules" state on
> any CCO documents I read.
>
> Normally a static statement xlates two different IP addies but they had me
> NAT the same IP address inside and DMZ. Never saw that done and haven't
> found anything on CCO discussing the practice.
this is correct, pix is based on having security level on interfaces,
the idea seems to be based on its use as device dividing a small lan
from the internet. The rules it always enforces are:
1) traffic is permitted from more secure to less secure interfaces
unless denied esplicitly with outbound/apply commands.
2) traffic is blocked from less secure to more secure interface unless
permitted in a counduit or acl.
3) ip addresses residing on a more secure network are not visible from a
less secured network unless manually exposed (via static or dynamic nat)
4) ip address on a less secure network are directly visible from a more
secure network.
you use the nat and global commands to configure dynamic nat
and you use the static command to configure static nat
to allow a device on a secure network to communicate with another in a
less secure one you must:
DYNAMIC NAT
a) define with 'global (external_interface) a_number ip_or_range' the
address pool used for external (global) ip address(es)
b) associate one or more internal ip with a global pool with the 'nat
(internal interface) a_number ip_address mask' command
if a_number is 0 for the nat command it disables nat on the interface
(does not nat stuff coming from this interface)
STATIC NAT
you use the command 'static (internal_if,external_if) nat_address
real_address'
if nat_address and real_address are the same you are not actually
natting, but you are explicitly exposing the ip address to an outside
interface (thus satisfying point 3).
if you also need to start a communication from the outside you should
add a conduit or acl to satisfy point 2.
hope this clears some confusion on this issue,
regards,
L.
-- Luca Berra -- bluca@comedia.it /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \
- Next message: Kevin Steves: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Previous message: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- In reply to: Eye Am: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Next in thread: Miha Vitorovic: "Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
