Configuring Cisco PIX 520.

I have a Cisco PIX with six interfaces with Cisco PIX v6.3(5) and PDM v3.04. I currently have the inside and outside configured and I can access the internet with my machines behind the firewall. However, I would like to configure the 4 left interfaces as networks with NAT/PAT enabled for each interface so that each of the 4 interfaces will be its own network over which I shall put machines to go to the internet on these separate networks. Is this possible. I am new to Cisco PIX, but certainly not to networking. I believe this can be done however, some Cisco PIX documentations refer to the quad nic interfaces as DMZs. However, other documentations I have read refer to the four quad nic interfaces in a Cisco PIX as perimeters.

Thanks in advance, Benchmark

Reply to
Loading thread data ...

Yes. Just go ahead and do it. The only difference from the way you configured the inside interface is the interface name and the interface security level number.

If at some point you want the additional networks to be able to initiate connections to an interface with a higher security level (e.g., the inside interface) then the setup gets slightly more complicated. The rule is that unless you have configured otherwise, traffic going to a higher security level needs to be addressed to the "public" IPs of the higher level, and traffic going to a lower security level should be addressed to the private (internal) IP of the lower level.

Just a matter of emphasis. Both terms are correct.

Reply to
Walter Roberson

Hi Walter, Following your advice above, I went ahead to configure dmz(ethernet2) connected to a Windows XP SP2 workstation to browse the internet. My Cisco PIX firewall inside and outdside are configured and I cannot browse the internet from the inside network, no problem. I attempting to enable a workstation in so-called dmz (ethernet) to also browse the internet from the same DSL connection that allow my inside network workstations to also browse the internet. Here is the network setup: Inside network: Firewall inside IP: DMZ network: Firewall DMZ IP: Outside IP: Default route: Workstation in DMZ network IP address: For the full configuration running on the Cisco PIX 520, please see below:

pixfirewall(config)# sh run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security60 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password (*masked*) encrypted passwd (*masked*)encrypted hostname pixfirewall domain-name home fixup protocol dns maximum-length

512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 8080 access-list 101 permit tcp any host pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside dhcp setroute ip address inside ip address dmz no ip address intf3 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm location inside pdm history enable arp timeout 14400 global (outside) 10 interface global (dmz) 1 interface global (dmz) 1 global (dmz) 1 nat (inside) 10 0 0 nat (dmz) 1 0 0 static (dmz,outside) tcp www www netmask 5 300 1000 access-group 101 in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:0 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address inside dhcpd dns dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:(*masked*) : end pixfirewall(config)#

Please note that I entered static and access-list for the machine in the dmz zone, so that access to it s allowed from outside, although it was not running any www services. You may ignore that as it was done out of desperation, however, it did not work i.e. I cannot browse from the dmz network with my WinXP PC.

Thanks in advance, Benchmark.

Thanks in advance

Reply to

Hi, Can somebody help me here? If you need more information, please let me know.

Thanks, Benchmark.

Reply to
benchmark Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.