Re: Established through PIX - CLEAR GUIDELINES

mrrussell · ‎01-24-2005

I'm looking for clear guidelines, as the Cisco command ref, config guides etc do not cover all the combination of options for established from low to high and high to low security interface, NAT (inside/outside), Indentity NAT, Outside keep same IP addresses, use of Statics, DNS doctoring etc

Are there some guidelines on the Internet or that someone has written and can share?

For example is this use of static correct to enable establishing a session from 192.168.0.11 on a low security dmz to a higher dmz address 10.20.2.2 without NAT translation.

ip address dmzlow 192.168.0.254 255.255.255.0

ip address dmzhigh 192.168.6.1 255.255.255.252

route 10.20.2.0 255.255.255.240 192.168.6.2 1

access-list acl_dmzlow permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-group dmzlow in interface dmzlow

static (dmzlow,dmzhigh) 10.20.2.0 10.20.2.0 netmask 255.255.255.240 0 0

Thanks

Mick

turnbull · ‎01-24-2005

Hi Mick,

It's almost there with just a couple of inaccuracies in the static and access list.

should be:

static (dmzhigh,dmzlow) 10.20.2.0 10.20.2.0 netmask 255.255.255.240 0 0

access-list acl_dmzlow permit ip 192.168.0.0 255.255.255.0 10.20.2.0 255.255.255.240

A definitive guide is available here:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

This makes better sense with the basics of NAT and access through the PIX:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm

Think of high security as ‘inside’ and lower as ‘outside’ even if dealing with DMZ’s

Cisco print a good book dealing with PIX but I’m not aware of any downloadable from the Internet.

Cheers,

Paul.