https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499332#M534060 <HTML><HEAD></HEAD><BODY><P>Site-to-Site comes to mind! and tie down the vpn traffic using ACLs.</P><P></P><P>Jay</P></BODY></HTML> Thu, 18 Aug 2005 11:10:43 GMT jmia 2005-08-18T11:10:43Z https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499330#M534056 <P>Hi All,</P><P>We want to give network access to our business partner (Banks)</P><P>Also we want to secure our infrastructure from banks activities.</P><P>How can i acheive ...</P><P>Pls suggest...</P><P>Attaching the proposed topology diagram.</P><P></P> Fri, 21 Feb 2020 08:20:34 GMT https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499330#M534056 fmatrine 2020-02-21T08:20:34Z https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499331#M534058 <HTML><HEAD></HEAD><BODY><P>attached topology</P><P></P><P> </P><P></P></BODY></HTML> Thu, 18 Aug 2005 11:10:21 GMT https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499331#M534058 fmatrine 2005-08-18T11:10:21Z https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499332#M534060 <HTML><HEAD></HEAD><BODY><P>Site-to-Site comes to mind! and tie down the vpn traffic using ACLs.</P><P></P><P>Jay</P></BODY></HTML> Thu, 18 Aug 2005 11:10:43 GMT https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499332#M534060 jmia 2005-08-18T11:10:43Z https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499333#M534061 <HTML><HEAD></HEAD><BODY><P>Your topology looks ok but what I would suggest is for you to read the Cisco SAFE Security Blueprint, it can be found on the right hand side of this page under 'Related Links' or below:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html" target="_blank">http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html</A></P><P></P><P></P><P>Hope this helps a little.</P><P></P><P>Jay</P></BODY></HTML> Thu, 18 Aug 2005 11:34:20 GMT https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499333#M534061 jmia 2005-08-18T11:34:20Z https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499334#M534062 <HTML><HEAD></HEAD><BODY><P>Hi Jay,</P><P></P><P>Thanx for the reply.</P><P>We are not looking at VPN solution.</P><P>As the business partner will come over private leased line and not thru internet.</P><P></P><P>Our requirement is to allow business partners (Many Banks) to access few of our servers in DMZ and Inside network in a secured manner.</P><P></P><P>Banks network will come over wan and in our premises we will get a ethernet from all the banks.</P><P>what we are planning is to terminate all the ethernet coming from different banks on a L3 switch in different vlan interface.</P><P>Purpose of creating vlans on the L3 is to control the traffic (Inter-vlan) coming from different banks and filtering the traffic at the L3 only.</P><P>secondly we will have the L3 connected to PIX interface facing the Bank-Zone as shown in the proposed topology attached.</P><P>We will create a static NAT between Bank-Zone interface subnet and various servers in DMZ and Internal network.</P><P>Subsequently we will allow the services for specific IP's only.</P><P>This way we will hide our inside+dmz private ip to be seen by bank network, as the bank clients will connect to the natted ip for accessing servers in DMZ and inside lan.</P><P></P><P></P><P>Kindly suggest if this is OK from security perspective or do we need to add any component.</P><P></P><P></P><P></P></BODY></HTML> Thu, 18 Aug 2005 12:27:27 GMT https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499334#M534062 fmatrine 2005-08-18T12:27:27Z https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499335#M534063 <HTML><HEAD></HEAD><BODY><P>It looks like you are setting this up very well, maybe tighten it up to only allow to specific TCP services on the servers? And I would LOG, LOG, LOG, all activity to/from these extranet partners. </P><P>Good points I see:</P><P>1: VLAN separation of banks from each other!</P><P> (access-lists, no traffic between bank vlans)</P><P>2: NAT of your internal servers to extranet</P><P>3: Access only to specific servers (nat address) from banks</P><P> (lock down to ports/services?)</P><P></P><P>I would think about adding an IDS/IPS component, to be sure that nobody attempts to circumvent your security arrangements.</P></BODY></HTML> Fri, 19 Aug 2005 19:48:11 GMT https://community.cisco.com/t5/network-security/securing-traffic-through-pix/m-p/499335#M534063 rsmith 2005-08-19T19:48:11Z