Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
5
Replies

Internet access only through PIX

edmonds_robert
Level 1
Level 1

‎07-25-2003 10:40 AM - edited ‎02-20-2020 10:52 PM

I have the responsibility for providing Internet access, through our network, to agencies and individuals from outside our organization. What I would like to do is policy route their traffic so that they can only get to the Internet, but nothing internal. They will all be connecting to a 3550 L3 switch, which in turn is connected our 6506 in the core, which also runs layer 3 software. Finally, they will be going out through our PIX. Is this possible? And if so, can I also allow them to get DNS from our internal DNS server(s)? I have tried using an access-list and a route-map statement with the "set ip next-hop" option, but they were still allowed access to our internal network. However, I very well may have programmed it wrong. Any help would be greatly appreciated.

0 Helpful
5 Replies 5

konigl
Level 7
Level 7

‎07-26-2003 04:59 PM

You could do this with extended access-lists on the 3550 L3 switch and the 6506 L3 switch. For each VLAN/subnet outside your organization that's connecting to one of your VLANs interfaces, create an extended access-list to be applied to inbound traffic coming into that VLAN interface. Explicitly deny the source ip subnet from getting to each and every other subnet that you want protected; then, permit ip to all other subnets (the Internet).

As you add more outside agencies, you will have to update the extended access-lists being applied to each and every VLAN interface. A little tedious, perhaps, but doable.

If you want to permit them access to your internal DNS servers, make sure you have explicit permits for thost host addresses before you deny the rest of the subnet(s) those servers reside on.

On the PIX, you don't have to worry about "hairpin" routing (traffic coming in and routing back out the same interface, typically drawn as a "hairpin" turn in a network diagram). Traffic coming in one PIX interface must exit some other PIX interface. All you have to do is permit each of the agencies' subnets to go out to the Internet. And if they want you to put their web servers on the Internet through your public IP numbers, you can create static mappings and permit the Internet to initiate inbound communications with their hosts. Only problem then is, you would have to maintain two sets of DNS servers -- one for the rest of the Internet to resolve IP addresses from, and the other for the internal users to be able to get to their own servers by typing in "www.theirdomainname.org".

Personally, I would resist letting them keep their web presence behind your PIX, because it complicates your DNS issues, and also your access-lists: because you will have to create explicit permissions so that agencies blocked from seeing one another's resources in general, can still see each other's web servers. (Like what I suggested about doing for your DNS servers.) Hosting the web servers outside the Firewall is much easier.

If they're insistent about you providing access to their web server behind the protection of a firewall, you can resolve this issue by sandwiching such web servers on a VLAN between two PIXs, or hanging them off a third, DMZ, NIC in the one PIX, so they're outside your internal network, but inside from your external network (the Internet). But that's a whole other discussion.

Hope this helps.

0 Helpful

edmonds_robert
Level 1
Level 1
In response to konigl

‎07-28-2003 06:43 AM

Actually, I think my explanation was too vague. The actual scenario is as follows: I run the network for a county government. As part of that, I run the network for our courts. In those courtrooms, we supply attorneys with Internet access, not through a separate connection, but through our network, just like any other computer on our network. What I would like to do is, put them on their own VLAN (VLAN 20 in this case) that only has access to the Internet, and if possible, is able to resolve DNS queries using our servers.

0 Helpful

mitchell_kohn
Level 1
Level 1
In response to edmonds_robert

‎07-28-2003 08:23 AM

Are you running Windows 2000 ? If so, you can lock down the workstations pretty tight. Also, you probably can do some kind of routing to only point out to the internet gateway. If they are not logging in to your domain, but you put in a static IP, wouldn't that take care of it ? Plug in your ISP's DNS servers. You can filter out your netbios ports or even turn them off.

YMMV,

Mitch

0 Helpful

edmonds_robert
Level 1
Level 1
In response to mitchell_kohn

‎07-28-2003 10:50 AM

I am running Windows 2000, however there's no telling what these attorneys may have on their laptops. Besides, I can't configure their computers because they don't belong to me. I just have to make my network so they can cross it, but only enough to get to the Internet. I'm not asking much, I know ;)

0 Helpful

nihal.akbulut
Level 1
Level 1
In response to edmonds_robert

‎07-29-2003 10:40 PM

I couln't understand why policy-routing didn't work. maybe you can try to carry that traffic in a tunnel to the pix.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card