Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
5
Replies

Securing Traffic through PIX

fmatrine
Level 1
Level 1

‎08-18-2005 04:06 AM - edited ‎02-21-2020 12:20 AM

Hi All,

We want to give network access to our business partner (Banks)

Also we want to secure our infrastructure from banks activities.

How can i acheive ...

Pls suggest...

Attaching the proposed topology diagram.

0 Helpful
5 Replies 5

fmatrine
Level 1
Level 1

‎08-18-2005 04:10 AM

attached topology

Preview file
161 KB
0 Helpful

jmia
Level 7
Level 7
In response to fmatrine

‎08-18-2005 04:34 AM

Your topology looks ok but what I would suggest is for you to read the Cisco SAFE Security Blueprint, it can be found on the right hand side of this page under 'Related Links' or below:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html

Hope this helps a little.

Jay

0 Helpful

jmia
Level 7
Level 7

‎08-18-2005 04:10 AM

Site-to-Site comes to mind! and tie down the vpn traffic using ACLs.

Jay

0 Helpful

fmatrine
Level 1
Level 1
In response to jmia

‎08-18-2005 05:27 AM

Hi Jay,

Thanx for the reply.

We are not looking at VPN solution.

As the business partner will come over private leased line and not thru internet.

Our requirement is to allow business partners (Many Banks) to access few of our servers in DMZ and Inside network in a secured manner.

Banks network will come over wan and in our premises we will get a ethernet from all the banks.

what we are planning is to terminate all the ethernet coming from different banks on a L3 switch in different vlan interface.

Purpose of creating vlans on the L3 is to control the traffic (Inter-vlan) coming from different banks and filtering the traffic at the L3 only.

secondly we will have the L3 connected to PIX interface facing the Bank-Zone as shown in the proposed topology attached.

We will create a static NAT between Bank-Zone interface subnet and various servers in DMZ and Internal network.

Subsequently we will allow the services for specific IP's only.

This way we will hide our inside+dmz private ip to be seen by bank network, as the bank clients will connect to the natted ip for accessing servers in DMZ and inside lan.

Kindly suggest if this is OK from security perspective or do we need to add any component.

0 Helpful

rsmith
Level 3
Level 3
In response to fmatrine

‎08-19-2005 12:48 PM

It looks like you are setting this up very well, maybe tighten it up to only allow to specific TCP services on the servers? And I would LOG, LOG, LOG, all activity to/from these extranet partners.

Good points I see:

1: VLAN separation of banks from each other!

(access-lists, no traffic between bank vlans)

2: NAT of your internal servers to extranet

3: Access only to specific servers (nat address) from banks

(lock down to ports/services?)

I would think about adding an IDS/IPS component, to be sure that nobody attempts to circumvent your security arrangements.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card