|
|
Cisco PIX 515 Multi-Interface help.
I am currently working on a project with a Cisco PIX 515 with 5
ethernet interfaces.
The PIX only has one routeable external address to work with which is
assigned to the external interface.
The internal interface has a 192.168.0.0/21 network for all the
internal machines and servers.
The other 4 interfaces are set up with security levels 20, 40, 60 and
80. These interfaces have limited machines behind them such as a Cisco
ACS appliance on one, Cisco VPN Concentrator on another, and web and
database servers on the other two. On these interfaces we use the
following networks:
192.168.20.0/24 (intf2)
192.168.40.0/24 (intf3)
192.168.60.0/24 (intf4)
192.168.80.0/24 (intf5)
I am having a bear of a time trying to set up access control between
these interfaces. I can get the PIX to work allowing the Internal 100
interface access outside but at the same time granting full open access
to the other interfaces which is something we don't want to do.
I want to be able to lock down all of the interfaces so only selected
traffic can pass between them as well as assigning egress rules for all
the interfaces.
IE:
Internal interface can access outside only on ports 80, 443, 22, etc.
Internal interface can access intf2 (192.168.20.0) only on ports 443
and 80.
intf4 can access intf2 only on port 443.
We also have a VPN configured on this PIX for remote clients to gain
access to the 192.168.0.0/21 network.
I have a lot of rules of this nature, but I'm just having a tough time
getting the configuration down in order to be able to build out all
these rules. If any of you bright folks could look at the relevant
portions of the configuration below and give me some pointers, it
would be greatly appreciated!
----
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security20
nameif ethernet3 intf3 security40
nameif ethernet4 intf4 security60
nameif ethernet5 intf5 security80
access-list ipsecpass permit esp any any
access-list ipsecpass permit udp any any eq 50
access-list ipsecpass permit udp any any eq isakmp
access-list ipsecpass permit udp any any eq 4500
access-list ipsecpass permit udp any any eq 2746
access-list splittunneling permit ip any any
access-list splittunneling permit ip 192.168.1.0 255.255.255.0
192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.7.0
255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0
255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.0
255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0
255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0
255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.20.0
255.255.255.0
ip address outside 172.16.0.230 255.255.255.0
ip address inside 192.168.0.1 255.255.248.0
ip address intf2 192.168.20.1 255.255.255.0
ip address intf3 192.168.40.1 255.255.255.0
ip address intf4 192.168.60.1 255.255.255.0
ip address intf5 192.168.80.1 255.255.255.0
ip verify reverse-path interface outside
ip local pool vpnpool 192.168.7.10-192.168.7.250
ip local pool remote 192.168.250.1-192.168.250.10
global (outside) 10 interface
global (intf2) 10 192.168.20.2-192.168.20.254
global (intf3) 10 192.168.40.2-192.168.40.254
global (intf4) 10 192.168.60.2-192.168.60.254
global (intf5) 10 192.168.80.2-192.168.80.254
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (intf2) 10 0.0.0.0 0.0.0.0 0 0
nat (intf3) 10 0.0.0.0 0.0.0.0 0 0
nat (intf4) 10 0.0.0.0 0.0.0.0 0 0
nat (intf5) 10 0.0.0.0 0.0.0.0 0 0
access-group ipsecpass in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
|
|
0
|
|
|
|
Reply
|
 plarkin (1)
|
2/15/2006 4:08:35 PM |
|
In article <1140019715.374763.258610@g43g2000cwa.googlegroups.com>,
Apophis <plarkin@gmail.com> wrote:
>I am currently working on a project with a Cisco PIX 515 with 5
>ethernet interfaces.
>I want to be able to lock down all of the interfaces so only selected
>traffic can pass between them as well as assigning egress rules for all
>the interfaces.
>access-group ipsecpass in interface outside
You need additional access-group commands, one per interface.
The "source" traffic for each is the private IPs for hosts behind
that interface.
The "destination" traffic for each is the private IP for hosts
at lower security levels, and the public IPs for hosts at higher
security levels. Another way of putting this is that each
interface is "outside" relative to higher-security interfaces,
but "inside" relative to lower-security interfaces.
|
|
|
0
|
|
|
|
Reply
|
 roberson
|
2/16/2006 3:43:48 AM
|
|
|
1 Replies
87 Views
(page loaded in 0.07 seconds)
Similiar Articles: Check status of VPN connections on PIX 515 from CLI? - comp.dcom ...Check status of VPN connections on PIX 515 ... Adding AAA Client - comp.dcom.sys.cisco Check status of VPN connections on PIX 515 ... Do this with the command line interface ... Cient VPN full tunnel on a Pix - comp.dcom.sys.ciscoPIX 515/515E, 525, 535: you need 6.2+ to do this ... Cient VPN full tunnel on a Pix - comp.dcom.sys.cisco... interface, your WAN router must support routing of the ... VPN with duplicate LAN subnets - comp.dcom.sys.cisco... does is watch traffic entering the PIX 515 from the 'outside' interface, and ... You have been a great help, thanks very much ... and duplicate subnets - comp.dcom.sys.cisco VPN ... Microsoft FTP behind Cisco PIX - comp.dcom.sys.ciscoThanks for your help, any further advice greatly ... Do you have an access-list applied to the interface the ... have a Windows 2003 web server sitting behind a Cisco Pix 515 ... Help with Split-Tunnel ACL - comp.dcom.sys.cisco... on a VPN, terminated with a PIX 515 ... problems - comp.dcom.sys.cisco Help with Split-Tunnel ACL - comp.dcom.sys.cisco ASA 5505 Connecting to ASDM via Web Interface - comp ... PIX receives one ping, then drops - comp.dcom.sys.cisco515 was part of a failover config, both were ... rule on the firewall to allow ICMP to the interface on the ... from a port-25 SNMP request as coming from a Cisco PIX ... ASA 5510 multiple outside networks multiple IP - comp.dcom.sys ...The specialists at Cisco say that there is a way to support what you are ... Why do you need one outside interface with 1.1 ... from each of the outside IP ... has Pix 515-e ... comp.dcom.sys.cisco - page 124dnis router config help 1 64 (11/26/2003 3:21 ... 25/2003 11:07:07 AM) Hello, I have a Cisco 515 running PIX Version 6.3(3). Pix ASA hide ports for portscan? - comp.dcom.sys.cisco... to these ports or by shutting down the WAN interface ... Cisco Pix 501 - changing mac address - comp.dcom.sys ... ... route pointing to the ASA ... VPN Client has Pix 515-e ... comp.dcom.sys.cisco - page 217This is page 217 of the comp.dcom.sys.cisco group which ... 1/17/2004 1:07:46 PM) Can someone help me. I have a ... PIX 515 NAT/PAT problem 2 43 (1/17/2004 4:00:49 AM) Hi, I ... Cisco PIX 515E Security Appliance [Cisco PIX 500 Series Security ...Cisco PIX Security Appliances incorporate multi ... support provided by Cisco PIX ... interface through VLAN trunking, with support for multiple VLAN trunks per Cisco PIX ... Pix 515 web interface - Cisco Support Community - Cisco Systems, IncPix 515 web interface What is the latest version of java we can ... Support Community Help ... operating systems and browsers needed for Cisco PIX ... 7/17/2012 9:10:17 PM
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
23 followers. 