ALLOW ACCESS TO INTERNAL DEVICE BEHIND PIX
Hi,
Here is the situation. I have a access server setup behind a firewall and a few PC and Servers. Currently, the access server is connected to the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network, there are also Servers and PC's that must be separated from the access server some how. I need some help to set this up so that from the internet I can telnet into the access server through the PIX. However, I want to make sure that after I telnet into the access server there is no possible way that I can jump to another host which is located on the 10.1.1.0 network. Any suggestions would be greatly appreciated. A network of the diagram can be found at www.virgoletta.com/network
Thank You,
vreyesii
Here is the situation. I have a access server setup behind a firewall and a few PC and Servers. Currently, the access server is connected to the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network, there are also Servers and PC's that must be separated from the access server some how. I need some help to set this up so that from the internet I can telnet into the access server through the PIX. However, I want to make sure that after I telnet into the access server there is no possible way that I can jump to another host which is located on the 10.1.1.0 network. Any suggestions would be greatly appreciated. A network of the diagram can be found at www.virgoletta.com/network
Thank You,
vreyesii
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Vreyesii,
What you are trying to do should be possible with the 501. You can specify on the 501 that any traffic that is telnet whould be directed to the Access Server and ONLY the access server.
A few points about your post though, I do not recommend placing a drawing up on EE for all the world to see, in addition to your domain name. This could lead to some security issues with people who might be tempted to do the worng thing.
Also, I would net recommend using Telnet for access the the Access server, is the access server capable of SSH? Telnet send username and passwords in clear text which can easily be sniffed and used by the bad guys.
Let me know if you need more help!
-Kruptos
What you are trying to do should be possible with the 501. You can specify on the 501 that any traffic that is telnet whould be directed to the Access Server and ONLY the access server.
A few points about your post though, I do not recommend placing a drawing up on EE for all the world to see, in addition to your domain name. This could lead to some security issues with people who might be tempted to do the worng thing.
Also, I would net recommend using Telnet for access the the Access server, is the access server capable of SSH? Telnet send username and passwords in clear text which can easily be sniffed and used by the bad guys.
Let me know if you need more help!
-Kruptos
I hate to say this, but the PIX model makes no difference. Once the PIX allows you access to an internal system, there is NO WAY for that PIX to restrict what goes on inside that network.
If you can telnet to that access server, and then from that access server you can telnet to anything else on the network, then as far as the PIX is concerned your only connection is to the authorized access server.
Only internal network controls with username/passwords will restrict you from accessing anything on the inside of that network once you are logged onto that access server.
BTW, since this is a duplicate Q, I'll reduce points on the other one to a pointer...
If you can telnet to that access server, and then from that access server you can telnet to anything else on the network, then as far as the PIX is concerned your only connection is to the authorized access server.
Only internal network controls with username/passwords will restrict you from accessing anything on the inside of that network once you are logged onto that access server.
BTW, since this is a duplicate Q, I'll reduce points on the other one to a pointer...
Lrmoore is correct. You can set the PIX to access only the access server, but once it is at the access server you need to make sure that it has controls in place to prevent moving to other systems.
ASKER
So there no other way I can do this without having to implement more security on the other systems on the network. Is there anyway I can put a device between Switch 1 and the access server such as a router with access lists or implement NAT so that the 10.1.1.0 network is not seen to the public to restrict access to the other systems. kruptos thanks for the suggestions.
thank you,
vreyesii
thank you,
vreyesii
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I really did not want to spend money on something extra, I just have an extra router. So there is nothing which I can do with the Router?
thank you,
vreyesii
thank you,
vreyesii
ASKER
Anymore suggestions?
ASKER
thank you,
vreyesii