Problem solve Get help with specific problems with your technologies, process and projects.

Using access-lists to reinforce perimeter security

I have two pix firewalls in a failover configuration with six fast Ethernet ports on the firewall. I have two of the interfaces at a security level of 50, two at 25, one at 0 and one at 100. As the firewall is on an internal network I have no desire to perform any sort of hide NAT. I just want to pass the traffic according to access-lists. I'm confused as to what kind of statement I should be using on each interface. Should it be NAT with an associated access list, some other form of a NAT statement, or a static statement? What would be an example?
Use static statements (depending on the size of network) with embryonic limits and inbound and outbound access lists. Use NAT on DMZ interface. You should also configure your router(s) with access-lists to reinforce perimeter security. See my PIX firewall article in the series for an example. Make sure that you administratively shutdown unused interfaces (you may experience an issue with CiscoWorks though.) Remember to consistently patch and protect your firewall.
Kind regards,
This was last published in May 2003

Dig Deeper on Network Access Control

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.