PIX 515E new DMZ

[DrGreen26]

Hi Everyone. I am still learning how to do things in the PIX firewall so as I gain knowledge with various areas I become more comfortable, however, this is something new and I am asking for input and help with doing it right the first time.

I need to create a new DMZ for an outside vendor to come in on. This connection is a secured private connection provided by AT&T global.

I have a class C public IP address of 32.X.X.0/24 of which .1 is assigned to the far end router and .2 is assigned to the router on my end.

I will need to perform static NAT's for multiple inside private 10.15.x.0 devices to each class c address.

The pix firewall does all our NAT'g and uses a 192.168.X.X internal NAT to hide the inside IP's. and I am assuming I got this right, if not, someone feel free to correct me.

Any ways, if one of you PIX firewall experts could provide some insigt I would greatly appreciate it..or a link with all the details etc.

Thank in advance



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[DrGreen26]

I almost forgot we have a redundnat hot standby firewall as well and we use a vrtual IP address to tie the two together.

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[308win]

you will need a static for every pair of addresses and a corresponding acl entry

static (inside,newdmz) 32.x.y.3 10.15.x.3 netmask 255.255.255.255
access-l newdmz permit tcp any host 32.x.y.3 eq 80 In this case assuming that .3 is a web server. Adjust for your needs. You can also replace the 'any' with a specific source address.