Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Re: [PIX Firewall]
From: Steven Taylor (stillioNETSCAPE.NET)
Date: Thu Aug 24 2000 - 20:19:51 CDT
- Next message: Bilder, Jeffry: "Pop3 and IMAP"
- Previous message: Laura Nuņez: "Re: Silly NT question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Good problem. I never like dual homing dmz servers because it presents a
device that bypasses the firewall, but it's still a nifty idea if you'll be
running Veritas Netbackup or other management softrware running on it's own
isolated network. PIX's are wonderful network devices and all you have to
remember is that you need static and conduit statements when going from lower
to higher security interfaces, and use nat and global statements to move from
higher to lower [and ok, I also add an acl to the 'inside' interface to
restrict internal traffic]. If you set this up with a cut-through proxy and
TACACS+/RADIUS it's really not that insecure to allow the internal traffic you
mentioned. As for needing to ping the outside publicly nat'd address, my
recommendation would be to look at the source code for that applet (if it's
available) and make the change there. The sticky point is that PIX won't let
you send AND receive on the same interface. It would be simple if you could
just allow icmp to the external web/global address, but because it's not
traversing interfaces, it won't work. I would recommend that he ping the
global address in the 'dmz' from the 'inside' interface, surely his applet
asks for the address... ;) I can't think of a [good] reason it needs to ping
a CIDR address though.
Pls let me know if you need more specifics.
Keith Barnard <KeithPARADIGMNET.COM> wrote:
I have a real stumper here, at least it is for me. Here is the scenario; I
have a Cisco router connected to the Internet via a T1, this router is
addressed as 18.104.22.168(these are not the real addresses). The interface is
attached to a PIX 520 ( with three cards ) and has an outside address of
22.214.171.124. There is a DMZ card at 192.168.1.4. There is a Inside card at
10.1.1.1. On the DMZ there is a Windows 2000 WEB server at 192.168.1.3. The
pix is translating the outside web address of 126.96.36.199 to the WEB server.
So far so good. We have a developer that wants to access a database server
(address 10.1.1.2) on the inside network from the DMZ. The way I achieved
this was to punch a huge whole at the WEB server ( I put another card in the
server and addressed it for the inside network and filtered the card). I
thought I pacified him now he tells me that he has a java applet that must
be able to ping the outside WEB address, which can't happen via this
scenario. So, if anybody has any suggestions please let me know.
Thanks in advance for any help
Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail