04-21-2006 07:15 AM - edited 02-21-2020 12:51 AM
Hi,
Here's my hardware layout:
I've got a Pix 515E UR w/ 6 ports @ ver7.1(2)
I've got two T1 connections to the internet.
Currently I've got the following interfaces: inside(sec level 100), outside(sec 0)(1st T1), dmz(sec 50) and T1(sec 0)(2nd T1).
The inside interface only needs access to dmz and T1.
The DMZ has an email server and I would need to restrict it to only using the outside interface to access the internet.
I've tried to do this in single context mode with no luck keeping the dmz from just access the outside interface.
Here's my question: Is this possible in single context and I'm just missing something or should I go to multiple contexts?
Thanks!
04-27-2006 06:15 AM
04-27-2006 04:24 PM
Why don't you try a "trick"
Create PAT for devices on the inside network going towards DMZ and T1 ie.
nat (inside) 1
global (dmz) 1
global (T1) 1
Restrict access from inside host to the outside interface by doing PAT using a facke NONROUTABLE address
nat (inside) 1
global (outside) 1
As the NATes IP will be nonroutable on the outside interface .. the traffic will fall on a black hole
Post it if you find it helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide