The latest network routers, software, management tools and information for enterprise IT administrators.

Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 6

By Cisco Press | Sep 27, 2001

Page 6 of 6 | Back to Page 1

Additional Single-DMZ Configuration Considerations
The remaining changes to this configuration involve commands that were previously examined in this chapter. You added a new nat statement with the interface set as public to allow for translation of the public DMZ to global addresses. This eliminates the chance that anyone from the outside will see any traffic on the inside network. You can use NAT on all of the public hosts and add them to the common global pool. The command used is as follows:

 nat (public) 1 192.168.2.1 255.255.255.0 0 0

Next, you change the static NAT for the Web, FTP, and e-mail servers from the inside interface to the public interface. The new lines read:

 static (public, outside) 192.168.1.30 192.168.2.30
 static (public, outside) 192.168.1.35 192.168.2.35
 static (public, outside) 192.168.1.49 192.168.2.49

If you were using the previous configuration, you would have needed to remove the old static translations using the no form of the static command. You also added a new conduit statement. This statement allows any Oracle database traffic from the Web server on the public interface to enter into your inside LAN. The PIX Firewall uses port 1521 for SQL*Net. This is also the default port used by Oracle for SQL*Net, despite the fact that this value does not agree with Internet Assigned Numbers Authority (IANA) port assignments.

Because the Web server has a database running in the background, you need to allow traffic from this Web server to enter into the LAN and talk to the Oracle database servers. These tasks are accomplished with the following lines:

 conduit permit tcp host 192.168.1.30 eq http any
 conduit permit tcp host 192.168.1.35 eq ftp any
 conduit permit tcp host 192.168.1.49 eq smtp any
 conduit permit tcp any eq sqlnet host 192.168.1.30

You also added a few new route statements. You added routes for both the Seattle and Manchester networks as well as the public network. Finally, you made sure that the NAT changes would occur by issuing a clear xlate command and then writing the configuration.

--
In our next installment of Cisco Secure Internet Security Solutions - Chapter 4, we will look at Dual DMZ with AAA Authentication.

jfreund@internet.com

0 Comments (click to add your comment)

Comment and Contribute

Get the Latest Scoop with Enterprise Networking Planet Newsletter

More IT Reviews & Tutorials
eSecurity Planet
InfoStor
ServerWatch

IT Business Edge
About the IT Business Edge Network