Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How can I do This ???

Status
Not open for further replies.
khaledeshah

khaledeshah

ISP
Jan 1, 2001
84
0
0
LY
I have the following configurtion :
I have PIX 515 with 6 interfaces & I put all the servers on dmz with al of them with private addresses & I make static commands & access-lists to access them & it worked well?
But now I need to put my LAN on another interface which is high secure than the one which has the serves connected to it.
How can I enable my clients on the LAN to use my servers ?
 
Sort by date Sort by votes
HI.

You should add something like

global (dmz) 1 x.x.x.x

So the clients will be able to nat to the dmz.

The internal clients should use the internal ip addresses of the servers and not the public addresses.
If this is a problem - there are several solutions like internal DNS, alias and other.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thks for your help
but is there a security concern if I let mny internal clients use internal ip ?
And how can I solve it by using alias ?
thks in advance.
 
Upvote 0 Downvote
HI.

I don't thing that letting internal clients use internal addresses is a security problem, and anyway this is the best way in terms of ip routing to do it.
The server will not see the client's addresses and will only be able to reply to but not initiate access to internal hosts, and that's the basic idea of DMZ.

The general design of DMZ should be like this:
* The file and other servers with important data should be in the inside network (or a separate interface but not in public accessible DMZ) .
* Only servers that need to be accessible from the Internet should be placed in the DMZ, like smtp mail relay, ftp/ These servers should not hold important company data.
* All servers internal and DMZ, should be secured at the OS and application levels - patches, configuration, monitoring, etc...

About the alias command, you can read about it in the pix documentation web site:
But remember that this command is only a solution for clients that use external DNS servers and do not use the correct (internal) ip address of the server.
Using alias isn't more secure then other solutions (using ip address internaly, using internal DNS mappings, etc) and the other solutions are also more efficient and logical - why translate a wrong mapping if you can avoid it?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thks very much for your answer
I have another question : If I want to make my LAN on interface which is low secure than DMZ which contains servers.
How can I enable my clients to access Internet & also access servers on DMZ ?
thks
 
Upvote 0 Downvote
HI.

I don't understand the goal here, but anyway to achieve this, you need nat and global for access to the Internet, and for access to server on higher security level you need a "static" for each server (and access-list), the same idea as access from the Internet to the servers.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi
Let me explain to you, what I'm doing is :
I put LAN behind intf3 & servers (DNS,mail,...) behind intf2
where is intf3 is less secure than intf2 & I do :
nat (intf3) 1 0 0
global (outside) 1 X.X.X.X
to let my LAN clients access INTERNET
nat (intf2) 2 0 0
global (intf3) 2 192.168.1.150-192.168.1.200
also I add :
static (intf2,intf3) 192.168.1.5 10.0.0.5 netmask 255.255.255.255
where is 10.0.0.5 is private address of DNS server
And I do that with all servers
access-list acl_intf3 permit tcp any host 192.168.1.5 eq 53
.....
access-group acl_intf3 in interface intf3
but that don't work for me
My clients can't browse INTERNET
So what's wrong ????
 
Upvote 0 Downvote
Hi,

I believe you need to add an access-list entry like this to allow inf3 to have access to the internet.

Code: 
access-list acl_inf3 permit tcp any any eq www[\code]
[code]access-list acl_inf3 permit tcp any any eq domain[\code]
this will allow the web traffic through the third interface.


sean
 
Upvote 0 Downvote
Thks for your help & it works now.
BTW I noticed some delay in the browsing of my clients which didn't exist before ?
Also I noticed that when I'm pinging one of my servers which resides behind PIX I get a time bigger than the time before I put themn behind PIX ?
Can this be solvable ????
THKS
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
126
XLNTech1
XLNTech1
GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
55
GeorgeAlba
GeorgeAlba
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
150
Johnkite
Johnkite
TierOneTech
  • Locked
  • Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
43
jcarmichael1203
jcarmichael1203

Part and Inventory Search

Sponsor

Back
Top