I have a Cisco PIX with six interfaces with Cisco PIX v6.3(5) and PDM v3.04. I currently have the inside and outside configured and I can access the internet with my machines behind the firewall. However, I would like to configure the 4 left interfaces as
192.168.3.0/24-192.168.6.0/24 networks with NAT/PAT enabled for each interface so that each of the 4 interfaces will be its own network over which I shall put machines to go to the internet on these separate networks. Is this possible. I am new to Cisco PIX, but certainly not to networking. I believe this can be done however, some Cisco PIX documentations refer to the quad nic interfaces as DMZs. However, other documentations I have read refer to the four quad nic interfaces in a Cisco PIX as perimeters.
Yes. Just go ahead and do it. The only difference from the way you configured the inside interface is the interface name and the interface security level number.
If at some point you want the additional networks to be able to initiate connections to an interface with a higher security level (e.g., the inside interface) then the setup gets slightly more complicated. The rule is that unless you have configured otherwise, traffic going to a higher security level needs to be addressed to the "public" IPs of the higher level, and traffic going to a lower security level should be addressed to the private (internal) IP of the lower level.
Just a matter of emphasis. Both terms are correct.
Hi Walter, Following your advice above, I went ahead to configure dmz(ethernet2) connected to a Windows XP SP2 workstation to browse the internet. My Cisco PIX firewall inside and outdside are configured and I cannot browse the internet from the inside network, no problem. I attempting to enable a workstation in so-called dmz (ethernet) to also browse the internet from the same DSL connection that allow my inside network workstations to also browse the internet. Here is the network setup: Inside network: 192.168.1.0/24 Firewall inside IP: 192.168.1.1 DMZ network: 192.168.3.0/24 Firewall DMZ IP: 192.168.3.1 Outside IP: 192.168.2.10 Default route: 192.168.2.1 Workstation in DMZ network IP address: 192.168.3.2. For the full configuration running on the Cisco PIX 520, please see below:
pixfirewall(config)# sh run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security60 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password (*masked*) encrypted passwd (*masked*)encrypted hostname pixfirewall domain-name home fixup protocol dns maximum-length
512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq
8080 access-list 101 permit tcp any host
192.168.3.2 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside dhcp setroute ip address inside 192.168.1.1
255.255.255.0 ip address dmz 192.168.3.1
255.255.255.0 no ip address intf3 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm location 192.168.1.2 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 10 interface global (dmz) 1 interface global (dmz) 1 192.168.1.1 global (dmz) 1 192.168.3.2 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) tcp 192.168.2.10 www 192.168.3.2 www netmask
5 300 1000 access-group 101 in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp
0:0 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media
0:02:00 timeout sip-disconnect 0:02:00 sip-invite
0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts
3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.2 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd dns 220.127.116.11 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:(*masked*) : end pixfirewall(config)#
Please note that I entered static and access-list for the machine in the dmz zone, so that access to it s allowed from outside, although it was not running any www services. You may ignore that as it was done out of desperation, however, it did not work i.e. I cannot browse from the dmz network with my WinXP PC.