ALLOW ACCESS TO INTERNAL DEVICE BEHIND PIX

Hi,

Here is the situation. I have a access server setup behind a firewall and a few PC and Servers. Currently, the access server is connected to the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network, there are also Servers and PC's that must be separated from the access server some how. I need some help to set this up so that from the internet I can telnet into the access server through the PIX. However, I want to make sure that after I telnet into the access server there is no possible way that I can jump to another host which is located on the

10.1.1.0 network.

Thank You,

vreyesii

Reply to
vreyesii
Loading thread data ...
1) Do u have public address on the PIX ?

2) Do run NAT on the PIX ?

vreyesii wrote:

Reply to
squid3570

You need to have the access server on a different internal network, logically connected to a different PIX interface.

If you have a PIX 501, you will not be able to do this without adding another firewall.

If you have a PIX 506 or 506E then you can do it provided that your software is at least 6.3(3) and provided that your switch supports

802.1Q VLANs. If your switch does not support VLANs then you need to either add a switch that does support them (and have 6.3(3) or later), or else you need to add another firewall. If your 506 or 506E cannot be upgraded to at least 6.3(3) for some reason, then you would need to add another firewall.

If you have an older (pre 500-series) PIX, or a PIX 510 or 520, then you will need to use an additional physical interface on the PIX.

If you have a PIX 515 or 515E or 525 or 535, and 6.3(1) or later, you could proceed by way of VLANs. If you have those models but older software, then you will need to use an additional physical interface on the PIX.

Reply to
Walter Roberson

Reply to
vreyesii

That is what I thought also. I need a Firewall that has an another DMZ for this to work correct?

Thanks,

vreyesii

Walter Robers> >

Reply to
vreyesii

Yes, your firewall needs a DMZ to do what you want to do. That DMZ can be a physical interface, or on a PIX 506, 506E, 515, 515E, 525 or 535 with appropriate software levels, it can be a "logical interface" (which is an 802.1Q VLAN -- which requires that your connected switch supports 802.1Q VLANs to take advantage of this possibility.)

Reply to
Walter Roberson

Alright then thank you for your help.

vreyesii

Walter Robers> > >That is what I thought also. I need a Firewall that has an another DMZ

Reply to
vreyesii

If u have a public nat outside,u can map the local server to a free local Ip like: ip nat inside source static 10.0.10.3 89.197.71.244

vreyesii wrote:

Reply to
squid3570

The device in question is a PIX, which does not use that syntax.

Also, the solution you propose is not sufficient to prevent the access-server from being used to talk to any of the other devices.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.