Access Lists
Begin by allotment and allotment aegis levels to the two interfaces not already
defined on the PIX:
PIX1(config)# nameif ethernet2 dmz security40
PIX1(config)# nameif ethernet3 dbdmz security60
Now accompany the interfaces online:
PIX1(config)# interface ethernet0 auto
PIX1(config)# interface ethernet1 auto
PIX1(config)# interface ethernet2 auto
PIX1(config)# interface ethernet3 auto
Assign an IP abode to anniversary interface:
PIX1(config)# ip abode central 172.16.0.1 255.240.0.0
PIX1(config)# ip abode alfresco 10.1.1.1 255.255.255.0
PIX1(config)# ip abode dmz 192.168.10.1 255.255.255.0
PIX1(config)# ip abode dbdmz 192.168.20.1 255.255.255.0
Assign a absence avenue to the PIX:
PIX1(config)# avenue alfresco 0.0.0.0 0.0.0.0 10.1.1.254
Create admission lists to be acclimated after to bypass NAT:
PIX1(config)# access-list nonatinside admittance ip 172.16.0.0 255.240.0.0
192.168.10.0 255.255.255.0
PIX1(config)# access-list nonatinside admittance ip 172.16.0.0 255.240.0.0
192.168.20.0 255.255.255.0
PIX1(config)# access-list nonatdbdmz admittance ip 192.168.20.0 255.255.255
.0 192.168.10.0 255.255.255.0
Create a all-around basin utilizing PAT for the central network:
PIX1(config)# all-around (outside) 1 10.1.1.2
Global 10.1.1.2 will be Port Abode Translated
Bypass NAT area needed:
PIX1(config)# nat (inside) 0 access-list nonatinside
PIX1(config)# nat (dbdmz) 0 access-list nonatdbdmz
www.syngress.com
Passing Traffic • Chapter 3 125
Enable NAT on the central interface and accept it mapped to the all-around id:
PIX1(config)# nat (inside) 1 0 0
Create changeless translations for admission from the lower-level aegis interfaces:
PIX1(config)# changeless (dmz, outside) 10.1.1.10 192.168.10.10
PIX1(config)# changeless (dmz, outside) 10.1.1.11 192.168.10.11
PIX1(config)# changeless (dmz, outside) 10.1.1.12 192.168.10.12
PIX1(config)# changeless (dbdmz, dmz) 192.168.20.0 192.168.20.0 netmask 255
.255.255.0
Configure names for the accessible addresses of the DMZ servers:
PIX1(config)# names
PIX1(config)# name 10.1.1.10 dns
PIX1(config)# name 10.1.1.11 mail
PIX1(config)# name 10.1.1.12 web
Configure article groups:
PIX1(config)# object-group arrangement dbhosts
PIX1(config-network)# network-object host 192.168.20.10
PIX1(config-network)# network-object host 192.168.20.20
PIX1(config-network)# exit
PIX1(config)# object-group arrangement dmzhosts
PIX1(config-network)# network-object host 192.168.10.1
PIX1(config-network)# network-object host 192.168.10.11
PIX1(config-network)# network-object host 192.168.10.12
PIX1(config-network)# exit
PIX1(config)# object-group icmp-type icmp-outside-in
PIX1(config-icmp-type)# icmp-object echo-reply
PIX1(config-icmp-type)# icmp-object time-exceed
PIX1(config-icmp-type)# icmp-object unreachable
PIX1(config-icmp-type)# exit
Configure the admission lists for anniversary interface:
PIX1(config)# access-list inside_in abjure tcp 172.16.0.0 255.240.0.0 any
eq pop3
PIX1(config)# access-list inside_in abjure tcp 172.16.0.0 255.240.0.0 any
eq 143
PIX1(config)# access-list inside_in admittance ip 172.16.0.0 255.240.0.0 any
www.syngress.com
126 Chapter 3 • Passing Traffic
PIX1(config)# access-list inside_in admittance icmp 172.16.0.0 255.240.0.0 any
PIX1(config)# access-list dbdmz_in admittance tcp object-group dbhosts eq
sqlnet 192.168.10.0 255.255.255.0
PIX1(config)# access-list dbdmz_in admittance icmp 192.168.20.0 255.255.255.0
172.16.0.0 255.255.0.0
PIX1(config)# access-list dbdmz_in abjure ip any any
PIX1(config)# access-list dmz_in admittance tcp host 192.168.10.11 any eq smtp
PIX1(config)# access-list dmz_in admittance tcp host 192.168.10.10 any eq
domain
PIX1(config)# access-list dmz_in admittance udp host 192.168.10.10 any eq
domain
PIX1(config)# access-list dmz_in admittance tcp object-group dmzhosts any eq
http
PIX1(config)# access-list dmz_in admittance tcp host 192.168.10.12 objectgroup
dbhosts eq sqlnet
PIX1(config)# access-list dmz_in admittance icmp object-group dmzhosts 172.16
.0.0 255.255.0.0
PIX1(config)# access-list outside_in abjure ip 0.0.0.0 255.0.0.0 any
PIX1(config)# access-list outside_in abjure ip 10.0.0.0 255.0.0.0 any
PIX1(config)# access-list outside_in abjure ip 127.0.0.0 255.0.0.0 any
PIX1(config)# access-list outside_in abjure ip 172.16.0.0 255.240.0.0 any
PIX1(config)# access-list outside_in abjure ip 192.168.0.0 255.255.0.0 any
PIX1(config)# access-list outside_in abjure ip 224.0.0.0 224.0.0.0 any
PIX1(config)# access-list outside_in admittance tcp any host web eq http
PIX1(config)# access-list outside_in admittance tcp any host mail eq smtp
PIX1(config)# access-list outside_in admittance tcp any host dns eq domain
PIX1(config)# access-list outside_in admittance udp any host dns eq domain
PIX1(config)# access-list outside_in admittance icmp any 10.1.1.0 255.255.255
.0 object-group icmp-outside-in
PIX1(config)# access-list outside_in abjure icmp any 10.1.1.0 255.255.255.0
PIX1(config)# access-list outside_in abjure ip any any
Apply the admission lists to the adapted interfaces:
PIX1(config)# access-group outside_in in interface outside
PIX1(config)# access-group inside_in in interface inside
PIX1(config)# access-group dmz_in in interface dmz
PIX1(config)# access-group dbdmz_in in interface dbdmz