The PIX Security Appliance supports up to eight additional physical
interfaces for platform extensibility and security policy enforcement on
publicly accessible services. The multiple physical interfaces enable the PIX
to protect publicly accessible web, mail, and DNS servers on the DMZ
.
Configuring Three Interfaces
A third interface is configured as
shown in Figure
. When
the PIX Security Appliance is equipped with three or more interfaces, use the
following guidelines to configure it while employing NAT:
- The outside interface cannot be renamed or given a different security
level.
- An interface is always outside with respect to another interface that has a
higher security level. Packets cannot flow between interfaces that have the
same security level.
- Use a single default route statement to the outside interface only. Set the
default route with the route command.
- Use the nat command to let users on the respective
interfaces start outbound connections.
Associate the nat_id with the nat_id
in the global command statement. The valid
identification numbers can be any positive number up to two billion.
- After a global statement is added, changed, or removed,
save the configuration and enter the clear xlate command so
that the IP addresses will be updated in the translation table.
- To permit access to servers on protected networks from a less secure
interface, use the static and
access-list commands.
In Figure
, hosts
on the inside network can access the outside network. The original 10.0.0.0/24
address is assigned an address from the global pool of 192.168.0.20-254. When
an inside host accesses the DMZ, the original address is assigned an address
from the global pool of 172.16.0.20-254. Last, the DMZ server is always
translated to an outside address of 192.168.0.11.
Configuring Four Interfaces
In Figure
, the PIX
Security Appliance has four interfaces. Users on the inside have access to the
DMZ and the outside. The server 172.16.0.2 is visible on the outside as
192.168.0.11 and on the partnernet as 172.18 0.11. Configuring four interfaces
requires more attention to detail, but the interfaces are still configured with
standard PIX commands. To enable users on a higher security level interface to
access hosts on a lower security interface, use the nat and
global commands. For example, when users on the inside
interface have access to the web server on the DMZ interface.
To let
users on a lower security level interface, such as users on the partnernet
interface, access hosts on a higher security interface (DMZ), use the
static and access-list commands. As
seen in Figure
, the partnernet
has a security level of 40 and the DMZ has a security level of 50. The DMZ will
use nat and global commands to speak
with the partnernet and will use static commands and
access-list commands to receive traffic originating from
the partnernet.