Solved

Adding an Interface to PIX

Posted on 2003-11-18
3
280 Views
Last Modified: 2010-04-09
Hello,

I have a pix with 3 running interfaces - Inside, Outside, DMZ
Security levels - 100, 0, 50 repectively

I am looking to add a fourth, highly secure interface.

This interface will operate completely separate from the other three.  The LAN segment will also be separate.

The fourth interface will not need to pass traffic between the inside and DMZ.  Only outbound web traffic from the fourth interface needs to pass through to the outside.

I plan on setting the security level of interface 4 to 100, equal to that of the inside interface.  From what I understand interfaces with equal security levels cannot pass traffic.  And since the dmz and outiside have a lower security level they will not be able reach interface 4.  Please confirm.

Also, what other settings are required to ensure that interface 4 can only pass http traffic on port 80?

Thank you.


0
Comment
Question by:jimm123
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9773091
You really don't want to make the security levels equal. Make the new one 95 or something..
I'm not sure what you mean by the servers on this dmz#2 can only pass http traffic. Are they web servers or browsing the web?

>Only outbound web traffic

All depends on what version OS you have, and whether you are using conduits or access-lists...
If using conduits, use access-list with "outbound apply"
If using acls, simply create a single entry acl and apply it to the dmz2 interface:
access-list dmz2_out permit udp host <host ip> any eq 53
access-list dmz2_out permit tcp host <host ip> any eq http
access-list dmz2_out permit tcp host <host ip> any eq https
access-group dmz2_out in interface dmz2
You can do host-by-host, or use the subnet
You need to permit DNS name resolution as in my example.

Be default, no traffic will be permitted from any higher security interface to any lower security interface without conduit or acl entry, so this will be a totally independent segment.
0
 

Author Comment

by:jimm123
ID: 9779691
Lrmoore,

Thanks for the info.

The os on the pix is 6.3(1) but we are using conduits - Haven't switched over to all acl just yet.

I am not sure what you mean by access-list with "outbound apply"
Could you provide an example?

The 4rth interface (dmz2) will need to browse the web only and will not host any web servers.

Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 9780649
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#1044408

Example:
outbound 1 deny 0 0 0
outbound 1 permit 10.1.1.0 255.255.255.0 80 tcp
outbound 1 permit 10.1.1.0 255.255.255.0 53 udp
 
apply (dmz2) 1 outgoing_src

If you want them to be able to browse, you also must permit dns name resolution
Do you also want to permit access to secure web servers? Then permit tcp 443 also
outbound 1 permit 10.1.1.0 255.255.255.0 443 tcp
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can you use inline network testing tools with Cisco port security? 2 38
Problems with replacment of Cisco 4510 2 32
CISCO ASA 5505 double Wan 8 36
Cisco RV042G 4 16
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question