Solved

Adding an Interface to PIX

Posted on 2003-11-18
3
275 Views
Last Modified: 2010-04-09
Hello,

I have a pix with 3 running interfaces - Inside, Outside, DMZ
Security levels - 100, 0, 50 repectively

I am looking to add a fourth, highly secure interface.

This interface will operate completely separate from the other three.  The LAN segment will also be separate.

The fourth interface will not need to pass traffic between the inside and DMZ.  Only outbound web traffic from the fourth interface needs to pass through to the outside.

I plan on setting the security level of interface 4 to 100, equal to that of the inside interface.  From what I understand interfaces with equal security levels cannot pass traffic.  And since the dmz and outiside have a lower security level they will not be able reach interface 4.  Please confirm.

Also, what other settings are required to ensure that interface 4 can only pass http traffic on port 80?

Thank you.


0
Comment
Question by:jimm123
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9773091
You really don't want to make the security levels equal. Make the new one 95 or something..
I'm not sure what you mean by the servers on this dmz#2 can only pass http traffic. Are they web servers or browsing the web?

>Only outbound web traffic

All depends on what version OS you have, and whether you are using conduits or access-lists...
If using conduits, use access-list with "outbound apply"
If using acls, simply create a single entry acl and apply it to the dmz2 interface:
access-list dmz2_out permit udp host <host ip> any eq 53
access-list dmz2_out permit tcp host <host ip> any eq http
access-list dmz2_out permit tcp host <host ip> any eq https
access-group dmz2_out in interface dmz2
You can do host-by-host, or use the subnet
You need to permit DNS name resolution as in my example.

Be default, no traffic will be permitted from any higher security interface to any lower security interface without conduit or acl entry, so this will be a totally independent segment.
0
 

Author Comment

by:jimm123
ID: 9779691
Lrmoore,

Thanks for the info.

The os on the pix is 6.3(1) but we are using conduits - Haven't switched over to all acl just yet.

I am not sure what you mean by access-list with "outbound apply"
Could you provide an example?

The 4rth interface (dmz2) will need to browse the web only and will not host any web servers.

Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 9780649
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#1044408

Example:
outbound 1 deny 0 0 0
outbound 1 permit 10.1.1.0 255.255.255.0 80 tcp
outbound 1 permit 10.1.1.0 255.255.255.0 53 udp
 
apply (dmz2) 1 outgoing_src

If you want them to be able to browse, you also must permit dns name resolution
Do you also want to permit access to secure web servers? Then permit tcp 443 also
outbound 1 permit 10.1.1.0 255.255.255.0 443 tcp
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now