Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 6

By Cisco Press | Posted Sep 27, 2001
Page 6 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Additional Single-DMZ Configuration Considerations
The remaining changes to this configuration involve commands that were previously examined in this chapter. You added a new nat statement with the interface set as public to allow for translation of the public DMZ to global addresses. This eliminates the chance that anyone from the outside will see any traffic on the inside network. You can use NAT on all of the public hosts and add them to the common global pool. The command used is as follows:

 nat (public) 1 192.168.2.1 255.255.255.0 0 0
Next, you change the static NAT for the Web, FTP, and e-mail servers from the inside interface to the public interface. The new lines read:
 static (public, outside) 192.168.1.30 192.168.2.30
 static (public, outside) 192.168.1.35 192.168.2.35
 static (public, outside) 192.168.1.49 192.168.2.49
If you were using the previous configuration, you would have needed to remove the old static translations using the no form of the static command. You also added a new conduit statement. This statement allows any Oracle database traffic from the Web server on the public interface to enter into your inside LAN. The PIX Firewall uses port 1521 for SQL*Net. This is also the default port used by Oracle for SQL*Net, despite the fact that this value does not agree with Internet Assigned Numbers Authority (IANA) port assignments.

Because the Web server has a database running in the background, you need to allow traffic from this Web server to enter into the LAN and talk to the Oracle database servers. These tasks are accomplished with the following lines:

 conduit permit tcp host 192.168.1.30 eq http any
 conduit permit tcp host 192.168.1.35 eq ftp any
 conduit permit tcp host 192.168.1.49 eq smtp any
 conduit permit tcp any eq sqlnet host 192.168.1.30
You also added a few new route statements. You added routes for both the Seattle and Manchester networks as well as the public network. Finally, you made sure that the NAT changes would occur by issuing a clear xlate command and then writing the configuration.

Cisco Secure Internet Security Solutions -- Click to go to publisher's site --
In our next installment of Cisco Secure Internet Security Solutions - Chapter 4, we will look at Dual DMZ with AAA Authentication.


Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter