Avatar of Manuel
Manuel
Flag for United States of America asked on

ALLOW ACCESS TO INTERNAL DEVICE BEHIND PIX

Hi,

Here is the situation. I have a access server setup behind a firewall and a few PC and Servers. Currently, the access server is connected to the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network, there are also Servers and PC's that must be separated from the access server some how. I need some help to set this up so that from the internet I can telnet into the access server through the PIX. However, I want to make sure that after I telnet into the access server there is no possible way that I can jump to another host which is located on the 10.1.1.0 network. Any suggestions would be greatly appreciated. A network of the diagram can be found at www.virgoletta.com/network



Thank You,
vreyesii
Software FirewallsCiscoNetworking

Avatar of undefined
Last Comment
Manuel

8/22/2022 - Mon
SOLUTION
harbor235

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Manuel

ASKER
No the model is a small 501.

thank you,
vreyesii
kruptos

Vreyesii,

What you are trying to do should be possible with the 501. You can specify on the 501 that any traffic that is telnet whould be directed to the Access Server and ONLY the access server.

A few points about your post though, I do not recommend placing a drawing up on EE for all the world to see, in addition to your domain name. This could lead to some security issues with people who might be tempted to do the worng thing.

Also, I would net recommend using Telnet for access the the Access server, is the access server capable of SSH? Telnet send username and passwords in clear text which can easily be sniffed and used by the bad guys.

Let me know if you need more help!

-Kruptos
Les Moore

I hate to say this, but the PIX model makes no difference. Once the PIX allows you access to an internal system, there is NO WAY for that PIX to restrict what goes on inside that network.
If you can telnet to that access server, and then from that access server you can telnet to anything else on the network, then as far as the PIX is concerned your only connection is to the authorized access server.
Only internal network controls with username/passwords will restrict you from accessing anything on the inside of that network once you are logged onto that access server.

BTW, since this is a duplicate Q, I'll reduce points on the other one to a pointer...

Your help has saved me hundreds of hours of internet surfing.
fblack61
kruptos

Lrmoore is correct. You can set the PIX to access only the access server, but once it is at the access server you need to make sure that it has controls in place to prevent moving to other systems.
Manuel

ASKER
So there no other way I can do this without having to implement more security on the other systems on the network. Is there anyway I can put a device between Switch 1 and the access server such as a router with access lists or implement    NAT so that the 10.1.1.0 network is not seen to the public to restrict access to the other systems. kruptos thanks for the suggestions.


thank you,
vreyesii
ASKER CERTIFIED SOLUTION
kruptos

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Manuel

ASKER
I really did not want to spend money on something extra, I just have an extra router. So there is nothing which I can do with the Router?


thank you,
vreyesii
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Manuel

ASKER
Anymore suggestions?