I work for a small company with 5 branches. I have a frame connection to
all the sites which connects to the central office where I am (hub and
spoke). In the central office, I have set up a PIX firewall. Behind the
firewall sits an exchange server and a new server which I plan on installing
next week.
I want to install a BDC that will have Symantec's I-gear/Mail-gear. This is
an email and internet filtering product. I will place this behind the
firewall. Here is what I want to do:
1) I want all the client PC to connect to the I-gear/Mail-gear server to
access the internet. Of course I will static my own address and those that
are nice to me to by-pass the proxy and go straight through the PIX.
2) I want to allow only certain traffic to go back in the pix from the
outside.
3) I will need an inside and outside IP address on this server.
Here is my proposed solution:
1) Install 2 network cards on the server and install the mentioned software.
2) Stop all traffic from being PATed across the PIX currently.
Currently I have Nat (inside) 1 0.0.0.0 0.0.0.0
3) Add a new NAT to let out the BDC server machine.
NAT (inside) 1 10.0.0.12 255.255.254.0
NAT (inside) 2 10.0.1.1 255.255.254.0 (my own PC for example)
4) Let the BDC out of the PIX
Static (inside,outside)193.236.234.88 10.0.0.12 netmask 255.255.255.255 0 0
Conduit permit tcp host 193.236.234.88 eq smtp any
Conduit permit tcp host 193.236.234.88 eq www any
Conduit permit tcp host 193.236.234.88 eq pop3 any
Conduit permit tcp host 193.236.234.88 eq 443 any
5) Change the gateway that they (the clients) are pointing (( right now it
is router (10.0.0.1) that connects to the pix)) to, to point to the BDC
server 10.0.0.12.
I think that will work but I am very green when it comes to configuring
these PIXes. I got lucky a few months ago when I did an IPSec tunnel
between 2 PIXes and I would like to replicated that success. I would
certainly appreciate some pointers before I go ahead and do this next week
with my heart in my mouth and as I experience shortness of breath... not a
good feeling :)
Any comments would surely be appreciated.
rgds,
Manolito
****************************************************************************
This message, including any attachments, is privileged and may contain
confidential information intended only for the person(s) named above. Any
other distribution, copying or disclosure is strictly prohibited. If you are
not the intended recipient or have received this message in error, please
notify us immediately by reply email and permanently delete the original
transmission from us, including any attachments, without making a copy.
Thank you.
***************************************************************************
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
