Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ALLOW ACCESS TO INTERNAL DEVICE BEHIND PIX

Reply
Thread Tools

ALLOW ACCESS TO INTERNAL DEVICE BEHIND PIX

 
 
vreyesii
Guest
Posts: n/a
 
      09-10-2006
Hi,

Here is the situation. I have a access server setup behind a firewall
and a few PC and Servers. Currently, the access server is connected to
the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
there are also Servers and PC's that must be separated from the access
server some how. I need some help to set this up so that from the
internet I can telnet into the access server through the PIX. However,
I want to make sure that after I telnet into the access server there is
no possible way that I can jump to another host which is located on the
10.1.1.0 network.

Thank You,

vreyesii

 
Reply With Quote
 
 
 
 
squid3570
Guest
Posts: n/a
 
      09-10-2006
1) Do u have public address on the PIX ?

2) Do run NAT on the PIX ?





vreyesii wrote:
> Hi,
>
> Here is the situation. I have a access server setup behind a firewall
> and a few PC and Servers. Currently, the access server is connected to
> the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
> there are also Servers and PC's that must be separated from the access
> server some how. I need some help to set this up so that from the
> internet I can telnet into the access server through the PIX. However,
> I want to make sure that after I telnet into the access server there is
> no possible way that I can jump to another host which is located on the
> 10.1.1.0 network.
>
> Thank You,
>
> vreyesii


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-10-2006
In article <(E-Mail Removed) om>,
vreyesii <(E-Mail Removed)> wrote:

>Here is the situation. I have a access server setup behind a firewall
>and a few PC and Servers. Currently, the access server is connected to
>the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
>there are also Servers and PC's that must be separated from the access
>server some how. I need some help to set this up so that from the
>internet I can telnet into the access server through the PIX. However,
>I want to make sure that after I telnet into the access server there is
>no possible way that I can jump to another host which is located on the
>10.1.1.0 network.


You need to have the access server on a different internal network,
logically connected to a different PIX interface.

If you have a PIX 501, you will not be able to do this without adding
another firewall.

If you have a PIX 506 or 506E then you can do it provided that your
software is at least 6.3(3) and provided that your switch supports
802.1Q VLANs. If your switch does not support VLANs then you need to
either add a switch that does support them (and have 6.3(3) or later),
or else you need to add another firewall. If your 506 or 506E cannot
be upgraded to at least 6.3(3) for some reason, then you would need
to add another firewall.

If you have an older (pre 500-series) PIX, or a PIX 510 or 520, then
you will need to use an additional physical interface on the PIX.

If you have a PIX 515 or 515E or 525 or 535, and 6.3(1) or later,
you could proceed by way of VLANs. If you have those models but
older software, then you will need to use an additional physical
interface on the PIX.

 
Reply With Quote
 
vreyesii
Guest
Posts: n/a
 
      09-10-2006
Yes I do have a public IP address on the PIX. I need NAT to be running
on the PIX.
squid3570 wrote:
> 1) Do u have public address on the PIX ?
>
> 2) Do run NAT on the PIX ?
>
>
>
>
>
> vreyesii wrote:
> > Hi,
> >
> > Here is the situation. I have a access server setup behind a firewall
> > and a few PC and Servers. Currently, the access server is connected to
> > the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
> > there are also Servers and PC's that must be separated from the access
> > server some how. I need some help to set this up so that from the
> > internet I can telnet into the access server through the PIX. However,
> > I want to make sure that after I telnet into the access server there is
> > no possible way that I can jump to another host which is located on the
> > 10.1.1.0 network.
> >
> > Thank You,
> >
> > vreyesii


 
Reply With Quote
 
vreyesii
Guest
Posts: n/a
 
      09-10-2006
That is what I thought also. I need a Firewall that has an another DMZ
for this to work correct?

Thanks,

vreyesii

Walter Roberson wrote:
> In article <(E-Mail Removed) om>,
> vreyesii <(E-Mail Removed)> wrote:
>
> >Here is the situation. I have a access server setup behind a firewall
> >and a few PC and Servers. Currently, the access server is connected to
> >the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
> >there are also Servers and PC's that must be separated from the access
> >server some how. I need some help to set this up so that from the
> >internet I can telnet into the access server through the PIX. However,
> >I want to make sure that after I telnet into the access server there is
> >no possible way that I can jump to another host which is located on the
> >10.1.1.0 network.

>
> You need to have the access server on a different internal network,
> logically connected to a different PIX interface.
>
> If you have a PIX 501, you will not be able to do this without adding
> another firewall.
>
> If you have a PIX 506 or 506E then you can do it provided that your
> software is at least 6.3(3) and provided that your switch supports
> 802.1Q VLANs. If your switch does not support VLANs then you need to
> either add a switch that does support them (and have 6.3(3) or later),
> or else you need to add another firewall. If your 506 or 506E cannot
> be upgraded to at least 6.3(3) for some reason, then you would need
> to add another firewall.
>
> If you have an older (pre 500-series) PIX, or a PIX 510 or 520, then
> you will need to use an additional physical interface on the PIX.
>
> If you have a PIX 515 or 515E or 525 or 535, and 6.3(1) or later,
> you could proceed by way of VLANs. If you have those models but
> older software, then you will need to use an additional physical
> interface on the PIX.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-10-2006
In article <(E-Mail Removed). com>,
vreyesii <(E-Mail Removed)> wrote:
>That is what I thought also. I need a Firewall that has an another DMZ
>for this to work correct?


Yes, your firewall needs a DMZ to do what you want to do. That DMZ
can be a physical interface, or on a PIX 506, 506E, 515, 515E, 525
or 535 with appropriate software levels, it can be a "logical interface"
(which is an 802.1Q VLAN -- which requires that your connected switch
supports 802.1Q VLANs to take advantage of this possibility.)
 
Reply With Quote
 
vreyesii
Guest
Posts: n/a
 
      09-10-2006
Alright then thank you for your help.

vreyesii



Walter Roberson wrote:
> In article <(E-Mail Removed). com>,
> vreyesii <(E-Mail Removed)> wrote:
> >That is what I thought also. I need a Firewall that has an another DMZ
> >for this to work correct?

>
> Yes, your firewall needs a DMZ to do what you want to do. That DMZ
> can be a physical interface, or on a PIX 506, 506E, 515, 515E, 525
> or 535 with appropriate software levels, it can be a "logical interface"
> (which is an 802.1Q VLAN -- which requires that your connected switch
> supports 802.1Q VLANs to take advantage of this possibility.)


 
Reply With Quote
 
squid3570
Guest
Posts: n/a
 
      09-10-2006
If u have a public nat outside,u can map the local server to a free
local Ip like:
ip nat inside source static 10.0.10.3 89.197.71.244







vreyesii wrote:
> Yes I do have a public IP address on the PIX. I need NAT to be running
> on the PIX.
> squid3570 wrote:
> > 1) Do u have public address on the PIX ?
> >
> > 2) Do run NAT on the PIX ?
> >
> >
> >
> >
> >
> > vreyesii wrote:
> > > Hi,
> > >
> > > Here is the situation. I have a access server setup behind a firewall
> > > and a few PC and Servers. Currently, the access server is connected to
> > > the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
> > > there are also Servers and PC's that must be separated from the access
> > > server some how. I need some help to set this up so that from the
> > > internet I can telnet into the access server through the PIX. However,
> > > I want to make sure that after I telnet into the access server there is
> > > no possible way that I can jump to another host which is located on the
> > > 10.1.1.0 network.
> > >
> > > Thank You,
> > >
> > > vreyesii


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-10-2006
In article <(E-Mail Removed) .com>,
squid3570 <(E-Mail Removed)> wrote:
>If u have a public nat outside,u can map the local server to a free
>local Ip like:
>ip nat inside source static 10.0.10.3 89.197.71.244


The device in question is a PIX, which does not use that syntax.

Also, the solution you propose is not sufficient to prevent the
access-server from being used to talk to any of the other devices.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
Pix command to allow access to network behind a network elementaladmins@gmail.com Cisco 2 08-11-2007 08:31 PM
Access from internal hosts to internal servers using external address HangaS Cisco 2 04-19-2007 10:14 AM
Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host JoelSeph Cisco 9 01-23-2006 03:52 PM
How do I let people access the internet via an access point but not allow them access to my network yar Wireless Networking 4 09-21-2004 03:48 AM



Advertisments