Three Interface Configuration

Bastion Host

e1

.1

10.0.0.0/24

pixfirewall(config)# nameif ethernetO outside secO

pixfirewall(config)# nameif ethernetl inside seclOO

pixfirewall (config)# nameif ethernet2 dmz sec5O

pixfirewall(config)# ip address outside

192.168.O.2 255.255.255.O pixfirewall(config)# ip address inside 1O.O . O.1

255.255.255.O pixfirewall(config)# ip address dmz 172.16.O.1 255.255.255.O

pixfirewall(config)# nat (inside) 1 1O.O.O.O

255.255.255.O pixfirewall(config)# global (outside) 1 192.168.O.1O-192.168.O.254 netmask 255.255.255.O pixfirewall(config)# global (dmz) 1 172.16.O.1O-172.16.O.254 netmask 255.255.255.O

pixfirewall (config)# static (dmz ,outside)

192.168.O.11 172.16.O.2 pixfirewall(config)# conduit permit tcp host 192.168.O.11 eq http any

©2000, Cisco Systems,

CSPFA 1.01-2-25

A third interface is configured as shown in the figure above. When your PIX

Firewall is equipped with three or more interfaces, use the following guidelines to configure it while employing NAT:

■ The outside interface cannot be renamed or given a different security level.

■ An interface is always "outside" with respect to another interface that has a higher security level. Packets cannot flow between interfaces that have the same security level.

■ Use a single default route statement to the outside interface only. Set the default route with the route command.

■ Use the nat command to let users on the respective interfaces start outbound connections. Associate the natid with the globalid in the global command statement. The valid ID numbers can be any positive number up to two billion.

■ After you have cmpleted a configuration in which you add, change, or remove a global statement, save the configuration, and enter the clear xlate command so that the IP addresses will be updated in the translation table.

■ To permit access to servers on protected networks, use the static and conduit commands.

0 0

Post a comment