• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 360
  • Last Modified:

PIX 506e dmz to access specific sites only

On a PIX 506e with inside, outside, and logical dmz interfaces, only the IP of the proxy server (on the inside network) is allowed to access the outside (the internet).
However I want to allow a subnet (10.157.13.0) on the dmz side to access specific internet IPs (on the outside).
How to do that?
inside IP is 10.157.14.5, dmz ip is 10.157.12.5, and 10.157.13.0 network access dmz thru a router (10.157.12.1)
0
Ehab Salem
Asked:
Ehab Salem
  • 4
  • 2
1 Solution
 
harbor235Commented:
By default outbound traffic sourced from the DMZ out to the internet would be allowed because the traffic is flowing from a higher security level to a lower security level. If you want to nail it down, you can implement an ACL applied to the DMZ interface that specifies the traffic flow you want.

access-list DMZ permit ip 10.157.12.0 255.255.255.0 <destination_IP>

access-group DMZ in interface DMZ

I assume you are running 6.3.5 and NAT is setup already, if NAT is used here and the addressing is real? If not yoou will need static translations for the outside IP for the DMZ host(s) and a NAT
policy will need to be inmplemented. (static nat, overload, etc ...)

Please provide additional info


-harbor235




0
 
Ehab SalemAuthor Commented:
- you can implement an ACL applied to the DMZ
* there is already an ACL to allow telnet and SMTP between the DMZ and the inside
* I am running 6.3.4
* the following NAT commands are already there:
nat (inside) 0 access-list inside_nat0
nat (inside) 1 10.157.14.0  255.255.255.0 0 0
nat (dmz1) 0 access-list dmz1_outbound_nat0_acl
static (inside,dmz1) 10.157.14.0 10.157.14.0 netmask 255.255.255.0 0 0

In the PIX log I am getting the following error when trying to connect to ip x.y.z.c (real IP)
No translation group found for icmp src dmz1:10.157.13.1 dst outside: x.y.z.c

0
 
harbor235Commented:
From what I can gather from your configuration you are doing overload nat on the outside inerface.
So for the network service you need to translate to, do the following: (example http port 80)

static (dmz,outside) tcp interface http 10.157.12.X http netmask 255.255.255.255

-harbor235

                               
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Ehab SalemAuthor Commented:
Which IP should I put for 10.157.12.X?
Please note this network is the DMZ ip, whereas the IP I want to connect to these sites is 10.157.13.x
0
 
Ehab SalemAuthor Commented:
I added:
nat (dmz1) 1 10.157.13.0 255.255.255.0 0 0
then the network 10.157.13.0 is having access to all internet sites.
I want only to allow specific IPs.
0
 
Ehab SalemAuthor Commented:
I adjusted the ACL for the dmz interface to allow traffic only to the specific sites.
It is now ok.
0
 
Vee_ModCommented:
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now