Hi Harry,
The PIX is strongly oriented towards NAT, hence the documentation focus on NAT
configurations.
You do not need to use NAT. You can set up a "no translation - translation".
For example, you could specify the static mapping for external users to connect to
your cluster as follows:
static (inside, outside) public.i.p.address public.i.p.address
And then configure the conduit to permit only 443 traffic as necessary.
The conduit syntax will vary depending on the version you are running, so check your
documentation for syntax.
The trick to this configuration is that both interfaces of the PIX cannot be in the
same subnet, so you can subdivide your subnet.
For example: if you have a class C network. x.x.x.0/24, divide that into two blocks:
x.x.x.0/25 and x.x.x.128/25, then configure PIX interfaces on separate subnets.
Router and NT cluster also need the correct subnet mask, and router should have a
route to the subnet "behind" the PIX.
Simplistic example:
(Internet)----(R)------------------------[PIX]------------------------[NT cluster]
E0x.x.x.1/25 x.x.x.129/25(pixE1) x.x.x.130/25(NT)
x.x.x.2/25(pixE0)
I hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
At 11:48 AM 05/15/2000 -0700, Harry Whitehouse wrote:
>I have a small cluster of NT's which uses MS Load Balancing. They are
>running SSL and the units ONLY need to support short port 443 transactions--
>a simple message in and a reply out. There will be no other traffic on this
>little network.
>
>The entire NT server array "looks" like a single published IP address mapped
>to a single www DNS name.
>
>We also have an inherited Cisco PIX 520.
>
>I'd like to set up the 520 to block all other port traffic other than the
>443 traffic. That part looks straight forward. But the PIX documentation
>seems to stress having using some form of address translation, so that the
>address of the NT cluster is NOT the published www address, but an internal
>private address. But if I do something this, will my SSL still work (as I
>believe SSL depends on the IP address resolving to the DNS name in the
>issued certificate)?
>
>Alternately, would my specialized situation suggest that I dispense with
>address translation and just let the 443 traffic pass through the PIX to the
>NT's which are running with the published DNS IP address? (In this case, I
>am simply using the PIX to block traffic on all other ports.)
>
>TIA
>
>Harry
>
>
>
>
>
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
