captaintuba
Technical User
We've just replaced our outside PIX515UR with a PIX515eUR.
Now we'd like to re-deploy the PIX515UR as an inner firewall to further protect database servers on the publicly accessible DMZ.
i.e. PIX1-OUTSIDE = Internet
PIX1-INSIDE = Corp LAN
PIX1-DMZ1 = web servers
and PIX2-OUTSIDE = DMZ1 = web servers
PIX2-INSIDE = DMZ2 = backend database servers
I have several areas of the config I'd like to sound out:![[ponder]](/data/assets/smilies/ponder.gif "[ponder] [ponder]")
1. Static Maps
2. VPNs
3. Access from Corp LAN to DMZ2
4. Access from DMZ2 to Corp LAN
==========
1. Static Maps
To mimic our live site I'd like to move a publicly accessible FTP server from DMZ1 to DMZ2.
The FTP servers IP address is mapped statically e.g.
Should I just modify the static map to point to the new address of the FTP server in DMZ2 and add a route to DMZ2 on PIX1?
or
Leave the config on PIX1 as is and create static maps on PIX2 to map the old DMZ1 address of the FTP server to the new address on DMZ2?
=======
2. VPN
There are some site to site VPNs configured and working on PIX1. We want a server on DMZ2 to use one of the VPN tunnels.
Do we NAT the servers outgoing connections so that it appears to come from DMZ1?
or
No-NAT it, include DMZ2 in the outgoing NO-NAT on PIX1 and add the DMZ2 subnet to the remote VPN peers list of accepted networks?
=====
3. Access from Corp LAN to DMZ2
With one PIX, Corp LAN to DMZ1 was easy.
From a high security interface to a lower security interface is an implicit permit.
But now we need to go from DMZ1 to DMZ2 which is low to high.
And the LAN addresses are NATed to DMZ2 addresses.
(note the no-nat access list is for outgoing VPN access)
The revelant code currently looks like this:
With the current config - I'm worried that PIX2 can't tell that incoming LAN traffic from DMZ1 traffic.
Do I need to NO_NAT LAN to DMZ1 traffic and add the following access list?
Then I can tie it down to specific hosts ond protocols later.
=========
4. Access from DMZ2 to Corp LAN
Ok so there is an implicit permit from a higher security to lower security interface. So traffic can go freely from DMZ2 to DMZ1 - then I need to add to the access list for traffic going from DMZ1 to LAN1.
The current access list is:
So do I NAT traffic going from DMZ2 to DMZ1?
or
Do I add an access list on PIX1 like this?
======
Sorry the post is so long.
But a few of the issues are interlinked.
I haven't cut the PIX2 config yet - but I have the current PIX1 config I could post if required.
regards
C.T.
Now we'd like to re-deploy the PIX515UR as an inner firewall to further protect database servers on the publicly accessible DMZ.
i.e. PIX1-OUTSIDE = Internet
PIX1-INSIDE = Corp LAN
PIX1-DMZ1 = web servers
and PIX2-OUTSIDE = DMZ1 = web servers
PIX2-INSIDE = DMZ2 = backend database servers
Code:
Internet---PIX1---DMZ1---PIX2---DMZ2
|
INSIDEI have several areas of the config I'd like to sound out:
1. Static Maps
2. VPNs
3. Access from Corp LAN to DMZ2
4. Access from DMZ2 to Corp LAN
==========
1. Static Maps
To mimic our live site I'd like to move a publicly accessible FTP server from DMZ1 to DMZ2.
The FTP servers IP address is mapped statically e.g.
Code:
static (dmz1,outside) ISP.ISP.ISP.FTP 192.168.DMZ1.YYY netmask 255.255.255.255 0 0Should I just modify the static map to point to the new address of the FTP server in DMZ2 and add a route to DMZ2 on PIX1?
Code:
static (dmz1,outside) ISP.ISP.ISP.FTP 192.168.DMZ2.YYY netmask 255.255.255.255 0 0
route dmz1 192.168.DMZ2.0 255.255.255.0 192.168.DMZ1.2 1or
Leave the config on PIX1 as is and create static maps on PIX2 to map the old DMZ1 address of the FTP server to the new address on DMZ2?
Code:
static (inside,outside) 192.168.DMZ1.FTP 192.168.DMZ2.FTP netmask 255.255.255.255 0 02. VPN
There are some site to site VPNs configured and working on PIX1. We want a server on DMZ2 to use one of the VPN tunnels.
Do we NAT the servers outgoing connections so that it appears to come from DMZ1?
or
No-NAT it, include DMZ2 in the outgoing NO-NAT on PIX1 and add the DMZ2 subnet to the remote VPN peers list of accepted networks?
=====
3. Access from Corp LAN to DMZ2
With one PIX, Corp LAN to DMZ1 was easy.
From a high security interface to a lower security interface is an implicit permit.
But now we need to go from DMZ1 to DMZ2 which is low to high.
And the LAN addresses are NATed to DMZ2 addresses.
(note the no-nat access list is for outgoing VPN access)
The revelant code currently looks like this:
Code:
global (dmz1) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 192.168.dmz1.0 255.255.255.0 0 0With the current config - I'm worried that PIX2 can't tell that incoming LAN traffic from DMZ1 traffic.
Do I need to NO_NAT LAN to DMZ1 traffic and add the following access list?
Code:
PIX2> access-list outside_access_in permit tcp 192.168.LAN.0 255.255.255.0 any=========
4. Access from DMZ2 to Corp LAN
Ok so there is an implicit permit from a higher security to lower security interface. So traffic can go freely from DMZ2 to DMZ1 - then I need to add to the access list for traffic going from DMZ1 to LAN1.
The current access list is:
Code:
PIX1> access-list dmz1_access_in permit icmp any any
PIX1> access-list dmz1_access_in permit tcp host 192.168.DMZ1.XXX host 192.168.LAN.ZZZ eSo do I NAT traffic going from DMZ2 to DMZ1?
or
Do I add an access list on PIX1 like this?
Code:
PIX1> access-list dmz1_access_in permit tcp host 192.168.DMZ2.XXX host 192.168.LAN.ZZZ eSorry the post is so long.
But a few of the issues are interlinked.
I haven't cut the PIX2 config yet - but I have the current PIX1 config I could post if required.
regards
C.T.
