07-25-2003 10:40 AM - edited 02-20-2020 10:52 PM
I have the responsibility for providing Internet access, through our network, to agencies and individuals from outside our organization. What I would like to do is policy route their traffic so that they can only get to the Internet, but nothing internal. They will all be connecting to a 3550 L3 switch, which in turn is connected our 6506 in the core, which also runs layer 3 software. Finally, they will be going out through our PIX. Is this possible? And if so, can I also allow them to get DNS from our internal DNS server(s)? I have tried using an access-list and a route-map statement with the "set ip next-hop" option, but they were still allowed access to our internal network. However, I very well may have programmed it wrong. Any help would be greatly appreciated.
07-26-2003 04:59 PM
You could do this with extended access-lists on the 3550 L3 switch and the 6506 L3 switch. For each VLAN/subnet outside your organization that's connecting to one of your VLANs interfaces, create an extended access-list to be applied to inbound traffic coming into that VLAN interface. Explicitly deny the source ip subnet from getting to each and every other subnet that you want protected; then, permit ip to all other subnets (the Internet).
As you add more outside agencies, you will have to update the extended access-lists being applied to each and every VLAN interface. A little tedious, perhaps, but doable.
If you want to permit them access to your internal DNS servers, make sure you have explicit permits for thost host addresses before you deny the rest of the subnet(s) those servers reside on.
On the PIX, you don't have to worry about "hairpin" routing (traffic coming in and routing back out the same interface, typically drawn as a "hairpin" turn in a network diagram). Traffic coming in one PIX interface must exit some other PIX interface. All you have to do is permit each of the agencies' subnets to go out to the Internet. And if they want you to put their web servers on the Internet through your public IP numbers, you can create static mappings and permit the Internet to initiate inbound communications with their hosts. Only problem then is, you would have to maintain two sets of DNS servers -- one for the rest of the Internet to resolve IP addresses from, and the other for the internal users to be able to get to their own servers by typing in "www.theirdomainname.org".
Personally, I would resist letting them keep their web presence behind your PIX, because it complicates your DNS issues, and also your access-lists: because you will have to create explicit permissions so that agencies blocked from seeing one another's resources in general, can still see each other's web servers. (Like what I suggested about doing for your DNS servers.) Hosting the web servers outside the Firewall is much easier.
If they're insistent about you providing access to their web server behind the protection of a firewall, you can resolve this issue by sandwiching such web servers on a VLAN between two PIXs, or hanging them off a third, DMZ, NIC in the one PIX, so they're outside your internal network, but inside from your external network (the Internet). But that's a whole other discussion.
Hope this helps.
07-28-2003 06:43 AM
Actually, I think my explanation was too vague. The actual scenario is as follows: I run the network for a county government. As part of that, I run the network for our courts. In those courtrooms, we supply attorneys with Internet access, not through a separate connection, but through our network, just like any other computer on our network. What I would like to do is, put them on their own VLAN (VLAN 20 in this case) that only has access to the Internet, and if possible, is able to resolve DNS queries using our servers.
07-28-2003 08:23 AM
Are you running Windows 2000 ? If so, you can lock down the workstations pretty tight. Also, you probably can do some kind of routing to only point out to the internet gateway. If they are not logging in to your domain, but you put in a static IP, wouldn't that take care of it ? Plug in your ISP's DNS servers. You can filter out your netbios ports or even turn them off.
YMMV,
Mitch
07-28-2003 10:50 AM
I am running Windows 2000, however there's no telling what these attorneys may have on their laptops. Besides, I can't configure their computers because they don't belong to me. I just have to make my network so they can cross it, but only enough to get to the Internet. I'm not asking much, I know ;)
07-29-2003 10:40 PM
I couln't understand why policy-routing didn't work. maybe you can try to carry that traffic in a tunnel to the pix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide