Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 6

 By Cisco Press
Page 6 of 6   |  Back to Page 1
Print Article

Additional Single-DMZ Configuration Considerations
The remaining changes to this configuration involve commands that were previously examined in this chapter. You added a new nat statement with the interface set as public to allow for translation of the public DMZ to global addresses. This eliminates the chance that anyone from the outside will see any traffic on the inside network. You can use NAT on all of the public hosts and add them to the common global pool. The command used is as follows:

 nat (public) 1 0 0
Next, you change the static NAT for the Web, FTP, and e-mail servers from the inside interface to the public interface. The new lines read:
 static (public, outside)
 static (public, outside)
 static (public, outside)
If you were using the previous configuration, you would have needed to remove the old static translations using the no form of the static command. You also added a new conduit statement. This statement allows any Oracle database traffic from the Web server on the public interface to enter into your inside LAN. The PIX Firewall uses port 1521 for SQL*Net. This is also the default port used by Oracle for SQL*Net, despite the fact that this value does not agree with Internet Assigned Numbers Authority (IANA) port assignments.

Because the Web server has a database running in the background, you need to allow traffic from this Web server to enter into the LAN and talk to the Oracle database servers. These tasks are accomplished with the following lines:

 conduit permit tcp host eq http any
 conduit permit tcp host eq ftp any
 conduit permit tcp host eq smtp any
 conduit permit tcp any eq sqlnet host
You also added a few new route statements. You added routes for both the Seattle and Manchester networks as well as the public network. Finally, you made sure that the NAT changes would occur by issuing a clear xlate command and then writing the configuration.

Cisco Secure Internet Security Solutions -- Click to go to publisher's site --
In our next installment of Cisco Secure Internet Security Solutions - Chapter 4, we will look at Dual DMZ with AAA Authentication.

This article was originally published on Sep 27, 2001
Get the Latest Scoop with Networking Update Newsletter