OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: PIX Firewall
From: Grace, Terry (tgraceTHESTAR.CA)
Date: Thu Aug 24 2000 - 15:23:51 CDT

Try this on your PIX:

static (inside,dmz) 192.168.1.x 10.1.1.2 netmask 255.255.255.255 0 0
conduit permit ip host 192.168.1.x any
conduit permit icmp any any

Tighten the conduit up as much as you need (ie allow only required ports).
This allows any dmz host to access any ip port on your web server and all
icmp's.

Hope this helps.

-----Original Message-----
From: Keith Barnard [mailto:KeithPARADIGMNET.COM]
Sent: Thursday, August 24, 2000 12:48 PM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: PIX Firewall

I have a real stumper here, at least it is for me. Here is the scenario; I
have a Cisco router connected to the Internet via a T1, this router is
addressed as 207.181.9.1(these are not the real addresses). The interface is
attached to a PIX 520 ( with three cards ) and has an outside address of
207.181.9.2. There is a DMZ card at 192.168.1.4. There is a Inside card at
10.1.1.1. On the DMZ there is a Windows 2000 WEB server at 192.168.1.3. The
pix is translating the outside web address of 207.181.9.5 to the WEB server.
So far so good. We have a developer that wants to access a database server
(address 10.1.1.2) on the inside network from the DMZ. The way I achieved
this was to punch a huge whole at the WEB server ( I put another card in the
server and addressed it for the inside network and filtered the card). I
thought I pacified him now he tells me that he has a java applet that must
be able to ping the outside WEB address, which can't happen via this
scenario. So, if anybody has any suggestions please let me know.

Thanks in advance for any help
Keith