PIX 506e

saftas.aql · ‎01-31-2005

I have two networks that need to communicate using only HTTPS. In order to configure my PIX 506e firewall, I’ve decided to use PDM v3.0. The Access Rules configuration is as follows:

SOURCE

IP – 1.1.1.1/24

Permit

Inside

1.1.1.0/24

Service Group (allow HTTPS)

DESTINATION

IP – 2.2.2.1/24

Permit

Outside

3.3.3.0/25 – The servers of interest reside on this network.

Service Group (allow HTTPS)

Will this configuration work to allow HTTPS communications between the networks, at least on one side (going out)?

Thanks.

nkhawaja · ‎02-01-2005

yes it will allow one side communcation,(connection can only be intiated by inside) for bidirections you need to make another set of rules like this

SOURCE

IP – 2.2.2.1/24

Permit

Inside

1.1.1.0/24

Service Group (allow HTTPS)

DESTINATION

IP – 1.1.1.1/24

Permit

Outside

3.3.3.0/25 – The servers of interest reside on this network.

Service Group (allow HTTPS)

basically swap the source/dst ips, so that outside IPs can also initiate connection to inside ip

thanks

Nadeem

jboyer · ‎02-02-2005

I don't use the pdm but this looks like you are allowing 'source: 1.1.1.0/24 port 443' and 'dest: 3.3.3.0/25 port 443'. Keep in mind the source of a HTTPS conversation will be a random high port number. From the CLI you can be more specific and permit source ports any to dest port 443. I guess it depends how you defined "allow HTTPS".