Re: Questions about adding another interface on PIX 515

joneschw1 · ‎05-02-2005

Hello all, I have a PIX 515 with 5 interfaces. I need to add a totally seperate company to an interface. I want to make it so that they can't access our internal network and dmz (with the exception of the rules allowed by the dmz). At the same time, I want to make sure that our DMZ can't access the "Company" interface with the exception of responding to web requests initiated by hosts behind the Company and smtp.

My questions are as follows:

1. Would you make the security level of the new interface higher or lower than the DMZ?

2. Is the security level for my failover important? If so, what should it be based on my config?

3. I don't believe I would need to add a global pool for the new company as they would just utilize my existing global pool.Am I right? If not, would I need to add the default nat statement for the interface and some globals? Something like:

nat (Company) 2 0.0.0.0 0.0.0.0 0 0

global (outside) 2 114.xx.xx.xx

Thanks for the help and my config is below:

PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet3 SQLDMZ security60

nameif ethernet4 Company security20

nameif ethernet5 failover security10

ip address outside 114.33.100.3 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

ip address DMZ 114.33.101.1 255.255.255.0

no ip address SQLDMZ

no ip address Company

ip address failover 10.5.1.1 255.255.255.0

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 114.33.100.27

failover ip address inside 10.1.1.20

failover ip address DMZ 114.33.101.27

no failover ip address SQLDMZ

no failover ip address Company

failover ip address failover 10.5.1.2

failover link failover

global (outside) 1 114.33.100.129-114.33.100.189

global (outside) 1 114.33.100.190

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 0 114.33.101.0 255.255.255.0 0 0

static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

static (DMZ,outside) 114.33.101.20 114.33.101.20 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.16 114.33.101.16 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.18 114.33.101.18 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.21 114.33.101.21 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.23 114.33.101.23 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.24 114.33.101.24 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.28 114.33.101.28 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.29 114.33.101.29 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.30 114.33.101.30 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.31 114.33.101.31 netmask 255.255.255.255 0 0

static (DMZ,outside) 114.33.101.15 114.33.101.15 netmask 255.255.255.255 0 0

conduit permit udp host 114.33.101.4 eq domain any

conduit permit tcp host 10.1.1.25 eq smtp host 114.33.101.4

conduit permit tcp host 10.1.1.13 eq 1433 host 114.33.101.17

conduit permit tcp host 114.33.101.4 eq domain any

conduit permit tcp host 114.33.101.8 eq www any

conduit permit tcp host 114.33.101.31 eq pop3 any

conduit permit tcp host 114.33.101.31 eq www any

conduit permit tcp host 114.33.101.8 eq smtp object-group SMTP-to-Exchange-Server

conduit permit tcp object-group TS-Servers eq 3389 any

conduit permit tcp object-group TS-Servers eq www any

conduit permit tcp object-group WWW-Servers eq www any

conduit permit tcp object-group WWW-Servers eq https any

conduit permit tcp object-group FTP-Servers eq ftp any

Patrick Iseli · ‎05-02-2005

Q1. Would you make the security level of the new interface higher or lower than the DMZ?

A1: If you want to restrict the other company then it would be easyer to configure their access by using a LOWER SECURITY LEVEL than the DMZ, but both Higher and lower would be possible.

If you choose a lower security level then you need to configure an access-list on this new company interface to permit an access to any higher level interfaces. If you forget to configure the access-list then they will not have acces to any higher lvel interfaces, example the DMZ but to the internet.

If you choose a higher security level then the DMZ then you also need to configure the access-list to limit (block) access to DMZ ressources. If you do not configure an access-list then all access to the lover DMZ interface is permited.

Q2. Is the security level for my failover important? If so, what should it be based on my config?

A2: No it is not really important as this interface is not used for users or network data, just for faiover stateful synchronisation between the two PIX.

Q3. I don't believe I would need to add a global pool for the new company as they would just utilize my existing global pool.Am I right? If not, would I need to add the default nat statement for the interface and some globals? Something like:

A3: As you prefer you can use the same PAT pool or give hem another global public IP:

Examples:

global (outside) 1 114.33.100.129-114.33.100.189

global (outside) 1 114.33.100.190

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (NEWCOMANY) 1 0.0.0.0 0.0.0.0 0 0

or another public IP:

global (outside) 1 114.33.100.129-114.33.100.189

global (outside) 1 114.33.100.190

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 2 114.33.100.191

nat (NEWCOMANY) 2 0.0.0.0 0.0.0.0 0 0

sincerely

Patrick

joneschw1 · ‎05-02-2005

Thanks Patrick, I will try this. I appreciate the help. It may be a few days before I can take a shot at it.