PIX 501 psuedo DMZ and securing an internal|dmz web server

I intend to run a server behind my pix 501. I would like to allow packets from the outside interface to it. For this I think I could use this:

1) !--- define webserver name 10.9.9.10 webserver1

!--- define an access list to permit incoming connections from the internet !--- permit incoming to port 80 & 443 for webserver1 access-list outside_in permit tcp any any eq www access-list outside_in permit tcp any any eq 443

!--- redirect connections to port 443 to webserver1 standard web port static (inside,outside) tcp interface 443 webserver1 www netmask

255.255.255.255 0 0 !--- redirect connections to port 80 to webserver1 standard web port static (inside,outside) tcp interface www webserver1 www netmask 255.255.255.255 0 0

2) However, this also means that if the web server were to be compromised then the attacker would have access to the internal (inside) network.

I would like to configure the pix to only:

Allow from other hosts on the inside network only 80 443 22 514(UDP) inbound and outbound. Deny everything else out from the server to any one else other than requests covered in the above ACL. The server ought not to allow connections that were initiated from it.

The simple way would be to create a DMZ, but the PIX 501 does not have a dedicated interface for this. Only interface0 (outside) and interface1 (inside). The inside interface is an internal four port switch.

Any clues on how this might work?

Best wishes, z.

Reply to
zii kell
Loading thread data ...

Well, if a device does not offer enough physical interfaces normally one would use VLANs (of course a switch that supports VLANs must be used in that case). Unfortunately though the Pix from PIXOs version 6.3 upwards supports VLANs the PIX 501 (which is a classic SOHO model and therefore is not intended to be used for bigger installations) does not.

formatting link
Solution: Either get a bigger PIX or use something else. Alternatives from other vendors like Clavister, Fortigate, Netscreen/Juniper etc. do exist.

Wolfgang

Reply to
Wolfgang Kueter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.