G'day,
Your use of inside/outside and E1/E0 are internally inconsistent in your
description. I can, however, say this:
By default there is nothing stopping any host accessing any service on a
LOWER security level. Similarly, there is (by default) NO access allowed
from lower security levels to high ones. Thus...
If you have trouble accessing higher security levels from lower ones:
You suggested that you have bidirectional communication for HTTP. Therefore
there must be either an ACL or a conduit permitting HTTP (and a static
mapping as well). Just do whatever you did to make _that_ work, but for port
443 and I think you should be in business.
If you have problems accessing SSL/TLS on a _lower_ security level from a
higher one:
It's probably not the PIX but you might need sniffers etc to prove that.
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-----Original Message-----
From: Amanda Acheson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 16, 2000 3:45 PM
To: '[EMAIL PROTECTED]'
Subject: Cisco PIX and SSL failing.
I am trying to set up a Cisco PIX 515 version 5.2 in a test environment.
We have the PIX with an outside Cisco26xx router set up (also the route is
configured in the PIX) and 2-3 Solaris servers on each side (inside &
outside) There is also a BIND DNS server on the outside but none on the
inside.
The PIX has only 2 interfaces, E0 & E1. E0 is security10 and uses public
addresses and E1 is Security100, using private addresses and NAT (Nat rule
in effect: NAT (inside) 1 0.0.0.0 0.0.0.0 0 0 ).
They have no problems passing ICMP back and forth or accessing http services
on web servers on either side.
Two Solaris boxes on the E1 (outside) can reach each other and can access
the Apache (SSL) https:\\ server also on the outside. However, when I try
to get a machine on E1 to reach the SSL server on E0, it fails (but can
reach it using http). We have NO blockages on anything going OUT to a lower
security level.
I am tearing my hair out. Can anyone suggest what we need to do to get the
server on Security100 to access the SSL server on Security10?
Also, since I"m not all together sure I'm on the list properly, can you send
any replies to my email address too-not just the list? Thanks!
[EMAIL PROTECTED]
Amanda Acheson
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
