Cisco PIX 515 Multi-Interface help.

I am currently working on a project with a Cisco PIX 515 with 5 ethernet interfaces.

The PIX only has one routeable external address to work with which is assigned to the external interface.

The internal interface has a network for all the internal machines and servers.

The other 4 interfaces are set up with security levels 20, 40, 60 and

  1. These interfaces have limited machines behind them such as a Cisco ACS appliance on one, Cisco VPN Concentrator on another, and web and database servers on the other two. On these interfaces we use the following networks: (intf2) (intf3) (intf4) (intf5)

I am having a bear of a time trying to set up access control between these interfaces. I can get the PIX to work allowing the Internal 100 interface access outside but at the same time granting full open access to the other interfaces which is something we don't want to do.

I want to be able to lock down all of the interfaces so only selected traffic can pass between them as well as assigning egress rules for all the interfaces.


Internal interface can access outside only on ports 80, 443, 22, etc. Internal interface can access intf2 ( only on ports 443 and 80. intf4 can access intf2 only on port 443.

We also have a VPN configured on this PIX for remote clients to gain access to the network.

I have a lot of rules of this nature, but I'm just having a tough time getting the configuration down in order to be able to build out all these rules. If any of you bright folks could look at the relevant portions of the configuration below and give me some pointers, it would be greatly appreciated!

Reply to
Loading thread data ...

You need additional access-group commands, one per interface.

The "source" traffic for each is the private IPs for hosts behind that interface.

The "destination" traffic for each is the private IP for hosts at lower security levels, and the public IPs for hosts at higher security levels. Another way of putting this is that each interface is "outside" relative to higher-security interfaces, but "inside" relative to lower-security interfaces.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.