Solved

Adding an Interface to PIX

Posted on 2003-11-18
3
273 Views
Last Modified: 2010-04-09
Hello,

I have a pix with 3 running interfaces - Inside, Outside, DMZ
Security levels - 100, 0, 50 repectively

I am looking to add a fourth, highly secure interface.

This interface will operate completely separate from the other three.  The LAN segment will also be separate.

The fourth interface will not need to pass traffic between the inside and DMZ.  Only outbound web traffic from the fourth interface needs to pass through to the outside.

I plan on setting the security level of interface 4 to 100, equal to that of the inside interface.  From what I understand interfaces with equal security levels cannot pass traffic.  And since the dmz and outiside have a lower security level they will not be able reach interface 4.  Please confirm.

Also, what other settings are required to ensure that interface 4 can only pass http traffic on port 80?

Thank you.


0
Comment
Question by:jimm123
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9773091
You really don't want to make the security levels equal. Make the new one 95 or something..
I'm not sure what you mean by the servers on this dmz#2 can only pass http traffic. Are they web servers or browsing the web?

>Only outbound web traffic

All depends on what version OS you have, and whether you are using conduits or access-lists...
If using conduits, use access-list with "outbound apply"
If using acls, simply create a single entry acl and apply it to the dmz2 interface:
access-list dmz2_out permit udp host <host ip> any eq 53
access-list dmz2_out permit tcp host <host ip> any eq http
access-list dmz2_out permit tcp host <host ip> any eq https
access-group dmz2_out in interface dmz2
You can do host-by-host, or use the subnet
You need to permit DNS name resolution as in my example.

Be default, no traffic will be permitted from any higher security interface to any lower security interface without conduit or acl entry, so this will be a totally independent segment.
0
 

Author Comment

by:jimm123
ID: 9779691
Lrmoore,

Thanks for the info.

The os on the pix is 6.3(1) but we are using conduits - Haven't switched over to all acl just yet.

I am not sure what you mean by access-list with "outbound apply"
Could you provide an example?

The 4rth interface (dmz2) will need to browse the web only and will not host any web servers.

Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 9780649
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#1044408

Example:
outbound 1 deny 0 0 0
outbound 1 permit 10.1.1.0 255.255.255.0 80 tcp
outbound 1 permit 10.1.1.0 255.255.255.0 53 udp
 
apply (dmz2) 1 outgoing_src

If you want them to be able to browse, you also must permit dns name resolution
Do you also want to permit access to secure web servers? Then permit tcp 443 also
outbound 1 permit 10.1.1.0 255.255.255.0 443 tcp
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now