Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX + DMZ

Status
Not open for further replies.
jdl508

jdl508

Technical User
Apr 30, 2001
242
US
Ok here goes.
I am building a network that will consist of 3 dmz's (networks) with pix inbetween each. My Question is if i have dmz1 (10.1.1.1) and dmz2 (192.168.1.1) can i get from one to another with just access lists / conduits or do i need a router for each network / dmz? I want (for security reasons) 3 different networks alltogether but i definitely dont want to purchose routers for each inter network, I thought you could just get between them with something like this (dont mind the syntax)
ANY 192.168.1.122 to 10.1.1.33 eq www
somthing like that would this work
thanks ahead of time
:)
 
Sort by date Sort by votes
HI.

Yes, you can pass trafic between separate dmz networks.
But it is not the same as with routers.

You will need to learn the ASA and security level used by the pix, and the details for the following commands:
nat 0
nat x
global
static
access-list
access-group

Read the pix documentation and cisco web site (you can find samples there).

You can also try using PDM to help you with such configuration.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
As yizhar said, you don't need routers on your DMZ's but be aware of the way that PIX and ASA works. You assign a security level for your DMZ's between 1 and 99. Your outside network (eth0) will have the default security level of 0 and the inside network (eth1) has the default security level of 100 (most secure). The way that the PIX works is that the higher security level network can make connections to the lower security level network. So sec100 can go out to sec0. The only way that a lower interface can connect to a higher interface is if you make exceptions to the ASA rules by applying conduits or access-lists.

With your DMZ's you will need to assign security levels to them between 1 and 99. For example if DMZ1 is sec80 and DMZ2 is sec60, then DMZ1 will be able to connect to DMZ2, but DMZ2 will not be able to connect to DMZ1 without access-lists or conduits. In the same manner, DMZ2 will be able to connect to the outside (sec0) but the outside won't be able to connect to DMZ2 without access-lists or conduits.

Does this make any sense? I'm only on my first coffee of the day!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
First off all thank you for the advice!
I figured I could do this but just needed a little reasurance. All I will need is an access list no matter what the security level correct? In other words if I need to talk to a sql box on a higher level (ie: sql = sec level 10 and web = level 0) i can do this through an access list (of course the sql box can just talk directly to tghe web server due to their security levels. and none of this matters with the use of different subnets (ie 10.x.x.x and 192.x.x.x)
Last Q:
My idea was to have a pix between each dmz (I know i can buy a pix with 4 int but this is how we wanted to do it) I am assumin i will just daisy cahin from the switch in dmz1 to the pix in dmz2 and so on? thanks again
 
Upvote 0 Downvote
HI.

To get from low to high security, you need both STATIC and ACCESS-LIST .

The daisy chain seems to me like a very bad idea.
How many pix boxes are going to be there?
How many DMZ?
How many firewalls will a user from the inside need to pass to reach the Internet? To reach DMZ1?

I suggest not starting with implementing the chain unless you are sure in what you are going to do and have a very solid planning.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
There will be 3 pix boxes total it would look like this

Internet router -> pix1 ->dmz1(switch) -> pix2 ->dmz2(switch2) -> pix3 -> dmz3(switch3-corp network)
so it seems that the user would go through 3 FW to get to the Internet
is that a prob?
i tried to get them to buy into the idea of 1 pix with multiple interfaces for dmz's but they want the extra layer of security with the 3 different pix box's(perception)
why is the daisy chain (for lack of better term) sound like a bad idea? how else could this be done without 1 pix with multiple interfaces?
thanks again
:)
 
Upvote 0 Downvote
Three PIX firewall for three DMZ's?? Sounds stupid to me! Why not just have a PIX (maybe a 515) with a four port card? Daisy chaining these firewalls will cause a configuration headache for you and make the task far more complicated than it needs to be! For example, if you have a problem getting from the corporate network to the internet you don't just have one PIX config to figure out, you have three!

If you're the guy who has to implement this then you should have some say in how it's done! Speak your mind!!

Good luck! Let us know what the outcome is!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
157
kythri
kythri
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
151
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
210
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
90
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top