Four Interface Configuration

pixfirewall(config)# nameif ethernet0 outside sec0

pixfirewall(config)# nameif ethernet1 inside sec100

pixfirewall(config)# nameif ethernet2 dmz sec50

pixfirewall(config)# nameif ethernet3 partnernet sec20

pixfirewall(config)# ip address outside 192.168.0.2

pixfirewall(config)# ip address inside 10.0.0.1

255.255.255.0

pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0

pixfirewall(config)# ip address partnernet 172.26.26.1

255.255.255.0

pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0

pixfirewall(config)# global (outside) 1 192.168.0.10192.168.0.254 netmask 255.255.255.0

pixfirewall(config)# global (dmz) 1 172.16.0.10172.16.0.254 netmask 255.255.255.0

pixfirewall(config)# static (dmz,outside) 192 .168.0.11 172.16.0.2

pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any pixfirewall(config)# static (dmz,partnernet) 172 .26 .26.11 172 .16 .0 .2

pixfirewall(config)# conduit permit tcp host 172.26.26.11 eq http any

©2000, Cisco Systems, Inc. WWW.CiSCO.COm CSPFA 1.01-2-26

In the figure above, the PIX Firewall has four interfaces. Users on all interfaces have access to all servers and hosts (inside, outside, DMZ, and partnernet).

Configuring four interfaces requires more attention to detail, but they are still configured with standard PIX Firewall commands. Enable users on an interface with a higher security level to access hosts on an interface with a lower security level by using the nat and global commands. For example, enable the inside interface to access the web server on the DMZ interface.

To let users on an interface with a lower security level (users on the partnernet interfaces access the DMZ) to access hosts on an interface with a higher security level, use the static and conduit commands. As seen in the figure above, the partnernet has a security level of 40 and the DMZ has a security level of 50. The DMZ will use nat and global commands to speak with the partnernet, and will use statics and conduits to receive traffic from the partnernet.

pixfirewall(config)# static (dmz,partnernet) 172 .26 .26.11 172 .16 .0 .2

pixfirewall(config)# conduit permit tcp host 172.26.26.11 eq http any

The table is a quick reference guide for when to use the nat or static command when configuring varied interfaces in the PIX Firewall.

From This Interface

To This Interface

Use This Command

Inside

Outside

nat

Inside

DMZ

nat

Inside

Partnernet

nat

DMZ

Outside

nat

DMZ

Partnernet

static

DMZ

Inside

static

Partnernet

Outside

nat

Partnernet

DMZ

nat

Partnernet

Inside

static

Outside

DMZ

static

Outside

Partnernet

static

Outside

Inside

static

0 0

Post a comment