I am currently working on a project with a Cisco PIX 515 with 5 ethernet interfaces.
The PIX only has one routeable external address to work with which is assigned to the external interface.
The internal interface has a 192.168.0.0/21 network for all the internal machines and servers.
The other 4 interfaces are set up with security levels 20, 40, 60 and
- These interfaces have limited machines behind them such as a Cisco ACS appliance on one, Cisco VPN Concentrator on another, and web and database servers on the other two. On these interfaces we use the following networks:
192.168.20.0/24 (intf2)
192.168.40.0/24 (intf3) 192.168.60.0/24 (intf4) 192.168.80.0/24 (intf5)I am having a bear of a time trying to set up access control between these interfaces. I can get the PIX to work allowing the Internal 100 interface access outside but at the same time granting full open access to the other interfaces which is something we don't want to do.
I want to be able to lock down all of the interfaces so only selected traffic can pass between them as well as assigning egress rules for all the interfaces.
IE:
Internal interface can access outside only on ports 80, 443, 22, etc. Internal interface can access intf2 (192.168.20.0) only on ports 443 and 80. intf4 can access intf2 only on port 443.
We also have a VPN configured on this PIX for remote clients to gain access to the 192.168.0.0/21 network.
I have a lot of rules of this nature, but I'm just having a tough time getting the configuration down in order to be able to build out all these rules. If any of you bright folks could look at the relevant portions of the configuration below and give me some pointers, it would be greatly appreciated!