PIX Security Appliance Translations and Connections
Configuring multiple interfaces

The PIX Security Appliance supports up to eight additional physical interfaces for platform extensibility and security policy enforcement on publicly accessible services. The multiple physical interfaces enable the PIX to protect publicly accessible web, mail, and DNS servers on the DMZ .

Configuring Three Interfaces
A third interface is configured as shown in Figure . When the PIX Security Appliance is equipped with three or more interfaces, use the following guidelines to configure it while employing NAT:

  • The outside interface cannot be renamed or given a different security level.
  • An interface is always outside with respect to another interface that has a higher security level. Packets cannot flow between interfaces that have the same security level.
  • Use a single default route statement to the outside interface only. Set the default route with the route command.
  • Use the nat command to let users on the respective interfaces start outbound connections.

Associate the nat_id with the nat_id in the global command statement. The valid identification numbers can be any positive number up to two billion.

  • After a global statement is added, changed, or removed, save the configuration and enter the clear xlate command so that the IP addresses will be updated in the translation table.
  • To permit access to servers on protected networks from a less secure interface, use the static and access-list commands.

In Figure , hosts on the inside network can access the outside network. The original 10.0.0.0/24 address is assigned an address from the global pool of 192.168.0.20-254. When an inside host accesses the DMZ, the original address is assigned an address from the global pool of 172.16.0.20-254. Last, the DMZ server is always translated to an outside address of 192.168.0.11.

Configuring Four Interfaces
In Figure , the PIX Security Appliance has four interfaces. Users on the inside have access to the DMZ and the outside. The server 172.16.0.2 is visible on the outside as 192.168.0.11 and on the partnernet as 172.18 0.11. Configuring four interfaces requires more attention to detail, but the interfaces are still configured with standard PIX commands. To enable users on a higher security level interface to access hosts on a lower security interface, use the nat and global commands. For example, when users on the inside interface have access to the web server on the DMZ interface.

To let users on a lower security level interface, such as users on the partnernet interface, access hosts on a higher security interface (DMZ), use the static and access-list commands. As seen in Figure , the partnernet has a security level of 40 and the DMZ has a security level of 50. The DMZ will use nat and global commands to speak with the partnernet and will use static commands and access-list commands to receive traffic originating from the partnernet.


Lab Activity

e-Lab Activity: Configure a PIX Security Appliance with Three Interfaces

In this activity, the student will practice configuring three interfaces on the PIX Security Appliance.

Lab Activity

e-Lab Activity: Configure a PIX Security Appliance with Four Interfaces

In this activity, the student will practice configuring three interfaces on the PIX Security Appliance.