PIX 501 psuedo DMZ and securing an internal|dmz web server
am 06.04.2007 14:00:19 von zii kellI intend to run a server behind my pix 501. I would like to allow
packets from the outside interface to it. For this I think I could use this:
1)
!--- define webserver
name 10.9.9.10 webserver1
!--- define an access list to permit incoming connections from the internet
!--- permit incoming to port 80 & 443 for webserver1
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 443
!--- redirect connections to port 443 to webserver1 standard web port
static (inside,outside) tcp interface 443 webserver1 www netmask
255.255.255.255 0 0
!--- redirect connections to port 80 to webserver1 standard web port
static (inside,outside) tcp interface www webserver1 www netmask
255.255.255.255 0 0
2) However, this also means that if the web server were to be
compromised then the attacker would have access to the internal (inside)
network.
I would like to configure the pix to only:
Allow from other hosts on the inside network only 80 443 22 514(UDP)
inbound and outbound.
Deny everything else out from the server to any one else other than
requests covered in the above ACL. The server ought not to allow
connections that were initiated from it.
The simple way would be to create a DMZ, but the PIX 501 does not have a
dedicated interface for this. Only interface0 (outside) and interface1
(inside). The inside interface is an internal four port switch.
Any clues on how this might work?
Best wishes, z.