|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: PIX Firewall
From: Matt Beck (Mbeck
GIANTSTEP.COM)Date: Thu Aug 24 2000 - 14:54:49 CDT
- Next message: Phillip Renouf: "Re: Outlook Web access Question."
- Previous message: Michel van Osenbruggen: "Re: Windows firewalls"
- Maybe in reply to: Keith Barnard: "PIX Firewall"
- Next in thread: Gary Rogers: "Re: PIX Firewall"
- Maybe reply: Matt Beck: "Re: PIX Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't think I fully understand what your developer is looking for, but I
do have a suggestion.
My PIX is configured so that servers in the DMZ are on a higher security
interface than the LAN users. This allows unrestricted access of the LAN
resources by DMZ servers. (No broadcast traffic though) Your web server
can access a database server on the LAN but the LAN cannot access the web
server. (Unless, of course, you use conduits and statics to permit it.)
This way your DMZ servers have LAN access without straddling the firewall as
you have done with 2 NICs.
Now back to your developer...
Is he trying to ping the "public" web address from the LAN segment or from
the DMZ segment? Since the public web address only exists on the "front" of
the PIX, devices behind the PIX can never ping it. I called Cisco on a
similar need (to ping addresses on the subnet the outside interface resides
on) and with NAT and PAT enabled, it can't be done.
Hope this helps.
Matt
-----Original Message-----
From: Keith Barnard [mailto:KeithPARADIGMNET.COM]
Sent: Thursday, August 24, 2000 11:48 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: PIX Firewall
I have a real stumper here, at least it is for me. Here is the scenario; I
have a Cisco router connected to the Internet via a T1, this router is
addressed as 207.181.9.1(these are not the real addresses). The interface is
attached to a PIX 520 ( with three cards ) and has an outside address of
207.181.9.2. There is a DMZ card at 192.168.1.4. There is a Inside card at
10.1.1.1. On the DMZ there is a Windows 2000 WEB server at 192.168.1.3. The
pix is translating the outside web address of 207.181.9.5 to the WEB server.
So far so good. We have a developer that wants to access a database server
(address 10.1.1.2) on the inside network from the DMZ. The way I achieved
this was to punch a huge whole at the WEB server ( I put another card in the
server and addressed it for the inside network and filtered the card). I
thought I pacified him now he tells me that he has a java applet that must
be able to ping the outside WEB address, which can't happen via this
scenario. So, if anybody has any suggestions please let me know.
Thanks in advance for any help
Keith
- Next message: Phillip Renouf: "Re: Outlook Web access Question."
- Previous message: Michel van Osenbruggen: "Re: Windows firewalls"
- Maybe in reply to: Keith Barnard: "PIX Firewall"
- Next in thread: Gary Rogers: "Re: PIX Firewall"
- Maybe reply: Matt Beck: "Re: PIX Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]