Re: [fw-wiz] Extreme Problem with PIX Config
From: John Dorsey (dorsey_at_colquitt.org)
Date: 05/13/05
- Previous message: Brian Loe: "[fw-wiz] Extreme Problem with PIX Config"
- In reply to: Brian Loe: "[fw-wiz] Extreme Problem with PIX Config"
- Next in thread: Brian Loe: "RE: [fw-wiz] Extreme Problem with PIX Config"
- Reply: Brian Loe: "RE: [fw-wiz] Extreme Problem with PIX Config"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Brian Loe <knobdy@stjoelive.com> Date: Fri, 13 May 2005 10:13:39 -0500
Brian,
> I've been fighting this problem for two weeks now. What follows is the
> current config (edited to protect the innocent). If format is maintained,
> the trouble lines will be bolded. These trouble lines are: access-list nonat
> permit ip any any; nat (inside) 0 access-list nonat; access-group nonat in
> interface dmz.
[lots of deletia]
Here's a couple of ideas and recommendations that may help.
First, I don't recommend using the same acl for the "access-group" and
"nat (interface) 0 ..." purposes; keep those acl's separate and things
are cleaner.
Second, I recommend applying an acl to every interface with
"access-group". That way no access is implied by security levels;
everything's explicit. Your mileage and tastes may vary.
Third, if you need non-natted access between some pair of
interfaces (say, inside and DMZ), then write a nonat acl for the
interface with the higher security level, permitting all ip from the
higher-security level subnet (source) to the lower-security level subnet
(destination). Note that it doesn't matter whether the packets and
connections are sourced from the higher or lower interface... for nat
purposes the higher security interface is written as source by
convention.
So try something like this: (untested) (pardon the long line)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
ip address outside ip.pub.nt.126 255.255.255.224
ip address inside 10.100.0.3 255.255.254.0
ip address DMZ 192.168.1.1 255.255.255.0
access-list acl_inbound <whatever>
access-list acl_dmz <whatever>
access-list acl_inside <whatever>
access-group acl_inbound in interface outside
access-group acl_dmz in interface DMZ
access-group acl_inside in interface inside
access-list acl_nonat_inside permit ip 10.100.0.0 255.255.254.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list acl_nonat_inside
Traffic that matches acl_nonat_inside (i.e. traffic between
inside and DMZ) will go un-natted; all other traffic (including Internet
traffic) will be natted.
Cheers,
John
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Brian Loe: "[fw-wiz] Extreme Problem with PIX Config"
- In reply to: Brian Loe: "[fw-wiz] Extreme Problem with PIX Config"
- Next in thread: Brian Loe: "RE: [fw-wiz] Extreme Problem with PIX Config"
- Reply: Brian Loe: "RE: [fw-wiz] Extreme Problem with PIX Config"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
