Using ACLs

In Figure , the ACL acl_inside is applied to the inside interface. The ACL acl_inside denies HTTP connections from an internal network, but lets all other IP traffic through. Applying an ACL to the inside interface restricts internal users from establishing outside web connections.

NOTE:

The internal network addresses, 10.0.0.0, are dynamically translated to the range 192.168.0.20 through 192.168.0.254 to allow outbound connections.

In Figure , the IP address of the web server is translated to an outside IP address of 192.168.0.11. The ACL acl_outside is applied to traffic inbound to the outside interface. The ACL acl_outside permits HTTP connections from the Internet to a public Internet web server, 192.168.0.11. All other IP traffic is denied access to the DMZ or inside networks.

In Figure , the web server is statically translated from 172.16.0.2 to 172.18.0.17. The ACL acl_partner is applied to traffic inbound to the partnernet interface. The ACL acl_partner permits Web connections from the hosts on network 172.18.0.0/24 to the DMZ web server via its statically mapped address, 172.18.0.17. All other traffic from the Partner network is denied.

In the second scenario in Figure , the client on the DMZ is trying to connect to the mail server on the inside network. The mail server IP address is statically translated to 172.16.0.11 by the PIX Security Appliance. The ACL acl_dmz is applied to traffic inbound to the DMZ interface. The ACL acl_dmz permits the host 172.16.0.4 mail access to the internal mail server on the inside interface via the statically mapped address of the mail server, 172.16.0.11. All other traffic originating from the DMZ network is denied.

Lab Activity

Lab Exercise: Configure Access Through the PIX Security Appliance using ASDM

In this lab, students will use ASDM to verify the starting configuration. Students will then configure the PIX Security Appliance to allow inbound traffic to the bastion host using ASDM. Students will also configure the PIX Security Appliance to allow inbound traffic to the inside host using ASDM. Finally, students will test and verify correct PIX Security Appliance operation using ASDM.

Lab Activity

Lab Exercise: Configure Access Through the PIX Security Appliance using CLI

In this lab, students will configure the PIX Security Appliance to allow inbound traffic to both the inside host and the bastion host. Students will then test and verify correct PIX Security Appliance operation.

Lab Activity

Lab Exercise: Configure Multiple Interfaces using CLI – Challenge Lab

In this lab, the student will complete the objective of configuring three PIX interfaces and configure access through the PIX Security Appliance.