Adding an Interface to PIX

Hello,

I have a pix with 3 running interfaces - Inside, Outside, DMZ
Security levels - 100, 0, 50 repectively

I am looking to add a fourth, highly secure interface.

This interface will operate completely separate from the other three.  The LAN segment will also be separate.

The fourth interface will not need to pass traffic between the inside and DMZ.  Only outbound web traffic from the fourth interface needs to pass through to the outside.

I plan on setting the security level of interface 4 to 100, equal to that of the inside interface.  From what I understand interfaces with equal security levels cannot pass traffic.  And since the dmz and outiside have a lower security level they will not be able reach interface 4.  Please confirm.

Also, what other settings are required to ensure that interface 4 can only pass http traffic on port 80?

Thank you.


jimm123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
You really don't want to make the security levels equal. Make the new one 95 or something..
I'm not sure what you mean by the servers on this dmz#2 can only pass http traffic. Are they web servers or browsing the web?

>Only outbound web traffic

All depends on what version OS you have, and whether you are using conduits or access-lists...
If using conduits, use access-list with "outbound apply"
If using acls, simply create a single entry acl and apply it to the dmz2 interface:
access-list dmz2_out permit udp host <host ip> any eq 53
access-list dmz2_out permit tcp host <host ip> any eq http
access-list dmz2_out permit tcp host <host ip> any eq https
access-group dmz2_out in interface dmz2
You can do host-by-host, or use the subnet
You need to permit DNS name resolution as in my example.

Be default, no traffic will be permitted from any higher security interface to any lower security interface without conduit or acl entry, so this will be a totally independent segment.
0
jimm123Author Commented:
Lrmoore,

Thanks for the info.

The os on the pix is 6.3(1) but we are using conduits - Haven't switched over to all acl just yet.

I am not sure what you mean by access-list with "outbound apply"
Could you provide an example?

The 4rth interface (dmz2) will need to browse the web only and will not host any web servers.

Thanks
0
lrmooreCommented:
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#1044408

Example:
outbound 1 deny 0 0 0
outbound 1 permit 10.1.1.0 255.255.255.0 80 tcp
outbound 1 permit 10.1.1.0 255.255.255.0 53 udp
 
apply (dmz2) 1 outgoing_src

If you want them to be able to browse, you also must permit dns name resolution
Do you also want to permit access to secure web servers? Then permit tcp 443 also
outbound 1 permit 10.1.1.0 255.255.255.0 443 tcp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.