Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
1
Replies

Need a little help with a pix 525

michael.steiner
Level 1
Level 1

‎04-21-2004 09:08 AM - edited ‎02-20-2020 11:21 PM

All,

I am a windows admin who has been delegated the duty of working with the pix - go figure.

Anyways I have a pix 525 running 6.3. Coming off of one of the interfaces of the pix I have a test network. That interface has a security rating of 50 while the inside interface has a security rating of 100. Currently we have statics and conduits in place in the pix config. One of the statics is:

static (inside,test) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

There is also a conduit permit that allows anyone on the 10.x.x.x. (internal) network to access via terminal server one of the test machine networks.

My issue I believe is that because we are going from a higher interface security rating to a lower security rating interface the developers can map drives, etc. The only thing I want them to be able to do is access that network via terminal server. No mapping, no printing, no nothing.

How can I accomplish this.

Thanks

0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎04-21-2004 10:38 AM

On what network is the terminal server located? In the inside or in the dmz?

One of the easiest ways to accomplish what you want to do is to use acls - as time goes on the pix code will no longer support conduits and apply statements.

Let's say the term server is on the inside network, at address 10.10.10.10. I would create an acl like this:

access-list in_acl_01 permit tcp host 10.10.10.10 test-net test-mask

access-list in_acl_01 permit ......

add what you want to permit, to the test as well as any other network.

Then apply the acl to the inside interface like this:

access-group in_acl_01 interface inside

I would remove this: static (inside,test) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

and replace it with this: static (inside,test) 10.10.10.10 10.10.10.10 netmask 255.255.255.255 0 0

so that the term server is seen by it's true ip address on the test network, but the test net will not be able to address other internal workstations.

By default, the pix will allow all access from higher to lower interfaces, but by applying the acl to the inside interface, only what you allow will be permitted. There is an implicit deny all at the end of the acl.

Let me know if this helps.

Also, to allow outbound access via other interfaces, beacase I told you to use acl's there are other facets of the config that will change. The pix docuementation gives some examples of how best to convert from conduit to access-list. Let me know if you need help there as well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card