ALLOW ACCESS TO INTERNAL DEVICE BEHIND PIX

Discussion in 'Cisco' started by vreyesii, Sep 10, 2006.

  1. vreyesii

    vreyesii Guest

    Hi,

    Here is the situation. I have a access server setup behind a firewall
    and a few PC and Servers. Currently, the access server is connected to
    the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
    there are also Servers and PC's that must be separated from the access
    server some how. I need some help to set this up so that from the
    internet I can telnet into the access server through the PIX. However,
    I want to make sure that after I telnet into the access server there is
    no possible way that I can jump to another host which is located on the
    10.1.1.0 network.

    Thank You,

    vreyesii
    vreyesii, Sep 10, 2006
    #1
    1. Advertising

  2. vreyesii

    squid3570 Guest

    1) Do u have public address on the PIX ?

    2) Do run NAT on the PIX ?





    vreyesii wrote:
    > Hi,
    >
    > Here is the situation. I have a access server setup behind a firewall
    > and a few PC and Servers. Currently, the access server is connected to
    > the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
    > there are also Servers and PC's that must be separated from the access
    > server some how. I need some help to set this up so that from the
    > internet I can telnet into the access server through the PIX. However,
    > I want to make sure that after I telnet into the access server there is
    > no possible way that I can jump to another host which is located on the
    > 10.1.1.0 network.
    >
    > Thank You,
    >
    > vreyesii
    squid3570, Sep 10, 2006
    #2
    1. Advertising

  3. In article <>,
    vreyesii <> wrote:

    >Here is the situation. I have a access server setup behind a firewall
    >and a few PC and Servers. Currently, the access server is connected to
    >the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
    >there are also Servers and PC's that must be separated from the access
    >server some how. I need some help to set this up so that from the
    >internet I can telnet into the access server through the PIX. However,
    >I want to make sure that after I telnet into the access server there is
    >no possible way that I can jump to another host which is located on the
    >10.1.1.0 network.


    You need to have the access server on a different internal network,
    logically connected to a different PIX interface.

    If you have a PIX 501, you will not be able to do this without adding
    another firewall.

    If you have a PIX 506 or 506E then you can do it provided that your
    software is at least 6.3(3) and provided that your switch supports
    802.1Q VLANs. If your switch does not support VLANs then you need to
    either add a switch that does support them (and have 6.3(3) or later),
    or else you need to add another firewall. If your 506 or 506E cannot
    be upgraded to at least 6.3(3) for some reason, then you would need
    to add another firewall.

    If you have an older (pre 500-series) PIX, or a PIX 510 or 520, then
    you will need to use an additional physical interface on the PIX.

    If you have a PIX 515 or 515E or 525 or 535, and 6.3(1) or later,
    you could proceed by way of VLANs. If you have those models but
    older software, then you will need to use an additional physical
    interface on the PIX.
    Walter Roberson, Sep 10, 2006
    #3
  4. vreyesii

    vreyesii Guest

    Yes I do have a public IP address on the PIX. I need NAT to be running
    on the PIX.
    squid3570 wrote:
    > 1) Do u have public address on the PIX ?
    >
    > 2) Do run NAT on the PIX ?
    >
    >
    >
    >
    >
    > vreyesii wrote:
    > > Hi,
    > >
    > > Here is the situation. I have a access server setup behind a firewall
    > > and a few PC and Servers. Currently, the access server is connected to
    > > the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
    > > there are also Servers and PC's that must be separated from the access
    > > server some how. I need some help to set this up so that from the
    > > internet I can telnet into the access server through the PIX. However,
    > > I want to make sure that after I telnet into the access server there is
    > > no possible way that I can jump to another host which is located on the
    > > 10.1.1.0 network.
    > >
    > > Thank You,
    > >
    > > vreyesii
    vreyesii, Sep 10, 2006
    #4
  5. vreyesii

    vreyesii Guest

    That is what I thought also. I need a Firewall that has an another DMZ
    for this to work correct?

    Thanks,

    vreyesii

    Walter Roberson wrote:
    > In article <>,
    > vreyesii <> wrote:
    >
    > >Here is the situation. I have a access server setup behind a firewall
    > >and a few PC and Servers. Currently, the access server is connected to
    > >the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
    > >there are also Servers and PC's that must be separated from the access
    > >server some how. I need some help to set this up so that from the
    > >internet I can telnet into the access server through the PIX. However,
    > >I want to make sure that after I telnet into the access server there is
    > >no possible way that I can jump to another host which is located on the
    > >10.1.1.0 network.

    >
    > You need to have the access server on a different internal network,
    > logically connected to a different PIX interface.
    >
    > If you have a PIX 501, you will not be able to do this without adding
    > another firewall.
    >
    > If you have a PIX 506 or 506E then you can do it provided that your
    > software is at least 6.3(3) and provided that your switch supports
    > 802.1Q VLANs. If your switch does not support VLANs then you need to
    > either add a switch that does support them (and have 6.3(3) or later),
    > or else you need to add another firewall. If your 506 or 506E cannot
    > be upgraded to at least 6.3(3) for some reason, then you would need
    > to add another firewall.
    >
    > If you have an older (pre 500-series) PIX, or a PIX 510 or 520, then
    > you will need to use an additional physical interface on the PIX.
    >
    > If you have a PIX 515 or 515E or 525 or 535, and 6.3(1) or later,
    > you could proceed by way of VLANs. If you have those models but
    > older software, then you will need to use an additional physical
    > interface on the PIX.
    vreyesii, Sep 10, 2006
    #5
  6. In article <>,
    vreyesii <> wrote:
    >That is what I thought also. I need a Firewall that has an another DMZ
    >for this to work correct?


    Yes, your firewall needs a DMZ to do what you want to do. That DMZ
    can be a physical interface, or on a PIX 506, 506E, 515, 515E, 525
    or 535 with appropriate software levels, it can be a "logical interface"
    (which is an 802.1Q VLAN -- which requires that your connected switch
    supports 802.1Q VLANs to take advantage of this possibility.)
    Walter Roberson, Sep 10, 2006
    #6
  7. vreyesii

    vreyesii Guest

    Alright then thank you for your help.

    vreyesii



    Walter Roberson wrote:
    > In article <>,
    > vreyesii <> wrote:
    > >That is what I thought also. I need a Firewall that has an another DMZ
    > >for this to work correct?

    >
    > Yes, your firewall needs a DMZ to do what you want to do. That DMZ
    > can be a physical interface, or on a PIX 506, 506E, 515, 515E, 525
    > or 535 with appropriate software levels, it can be a "logical interface"
    > (which is an 802.1Q VLAN -- which requires that your connected switch
    > supports 802.1Q VLANs to take advantage of this possibility.)
    vreyesii, Sep 10, 2006
    #7
  8. vreyesii

    squid3570 Guest

    If u have a public nat outside,u can map the local server to a free
    local Ip like:
    ip nat inside source static 10.0.10.3 89.197.71.244







    vreyesii wrote:
    > Yes I do have a public IP address on the PIX. I need NAT to be running
    > on the PIX.
    > squid3570 wrote:
    > > 1) Do u have public address on the PIX ?
    > >
    > > 2) Do run NAT on the PIX ?
    > >
    > >
    > >
    > >
    > >
    > > vreyesii wrote:
    > > > Hi,
    > > >
    > > > Here is the situation. I have a access server setup behind a firewall
    > > > and a few PC and Servers. Currently, the access server is connected to
    > > > the switch, which is in the 10.1.1.0 network. In the 10.1.1.0 network,
    > > > there are also Servers and PC's that must be separated from the access
    > > > server some how. I need some help to set this up so that from the
    > > > internet I can telnet into the access server through the PIX. However,
    > > > I want to make sure that after I telnet into the access server there is
    > > > no possible way that I can jump to another host which is located on the
    > > > 10.1.1.0 network.
    > > >
    > > > Thank You,
    > > >
    > > > vreyesii
    squid3570, Sep 10, 2006
    #8
  9. In article <>,
    squid3570 <> wrote:
    >If u have a public nat outside,u can map the local server to a free
    >local Ip like:
    >ip nat inside source static 10.0.10.3 89.197.71.244


    The device in question is a PIX, which does not use that syntax.

    Also, the solution you propose is not sufficient to prevent the
    access-server from being used to talk to any of the other devices.
    Walter Roberson, Sep 10, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. yar
    Replies:
    4
    Views:
    1,674
    Juan Carlos \(El fortinero\)
    Sep 21, 2004
  2. Corbin O'Reilly
    Replies:
    2
    Views:
    3,168
    Corbin O'Reilly
    May 26, 2004
  3. JoelSeph
    Replies:
    9
    Views:
    6,703
    JoelSeph
    Jan 23, 2006
  4. HangaS
    Replies:
    2
    Views:
    915
    HangaS
    Apr 19, 2007
  5. Replies:
    2
    Views:
    398
    Christoph Gartmann
    Aug 11, 2007
Loading...

Share This Page