I have purchased a new Cisco PIX 501 and wanted to use it to create a DMZ zone between my network-webserver/internet. I would like one PC on my network to be able to send files to my webserver (enable file sharing ports) within the DMZ zone. I would like to block all other traffic inside(eth1) and block all traffic from outside(eth0). My web server has 2 network cards. Could someone please lead me in the right direction? The PIX is not implemented yet and I have it in a test environment. Here is a basic picture:
PC (172.31.1.12) : : Network : : : (eth1) Cisco PIX 501 : (eth0) : : : Nic1 (172.31.13.1) Web Server : Nic2 (172.32.3.1) : : Watchguard firewall : : Internet
Fill in the ports for FileShareTCp and FileShareUDP (sorry, I don't know what you mean by "file sharing ports"), and the above is about all you need.
For what it's worth, I don't expect that you'll be happy with the result, as your restrictions don't allow for DNS or ping or Path MTU Discovery (PMTUD), or important ICMP such as unreachable or time-exceeded .
Thanks for the help! I do not think I will need DNS ports open because the only function my PC will do through the PIX is push some files to Server1. DNS info will be available to the PC from an internal server on the internal network and the internal server will receive internet DNS information from the Watchguard internet connection. All devices on the internal network connect to the internet through another port on my Watchguard firewall and will not be connected through the PIX. The only other port's I may open is 443, telnet to access the PIX itself from inside and probably ping. I will look into the PMTUD and ICMP you mentioned. Does the PIX block all traffic from the outside by default?
By File Sharing ports I mean: UDP 137, UDP 138, UDP 445, TCP 139, TCP
445.
ip address inside 172.31.1.1 255.255.255.0 ip address outside 172.31.13.2 255.255.255.0 names name 172.31.1.1 InsidePC name 172.31.13.1 DMZwww
Also, I receive the message "Sorry, not allowed to enter IP address on same network as interface 1" when I tru to assign the outside IP. Is there a way to do this?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.