help...

["michael" <madams () humanfactors com>]

I have a problem which is actually supposed to be easy--at least according
to the Cisco examples, but seems to be giving me fits. I just can't figure
out where I'm going wrong.  A particular company--being rather, shall we
say, posessed of parsimonious pecuniary policies, will not update one of
their old PIX firewalls beyond version 4.2.  In itself, that's not really
too much of an issue. It has three interfaces, and one of them is now to be
designated as a DMZ. (This version--although old--of the IOS does indeed
handle more than two interfaces)

I have set it up according to examples on CCO, and interestingly enough it
will work just fine when passing traffic from the outside interface to the
DMZ interface.  The DMZ is configured for NAT.  However, the one thing that
has me stumped is why I cannot get it to--through either statics or
conduits--communicate with an interface which is of "higher" security level.
According to everything I know (which admittedly is not omnicient) this can
be done even though by default a "lower" security level interface does not
communicate with a "higher" level unless exceptions are made. There are
examples on CCO. But it doesn't so far work.  I can ping a host on the DMZ,
but the host is not actually responding--the PIX does because of a static
mapping...

Any advice that would be helpful in creating an exception that would allow
traffic initiated from the inside interface to the DMZ interface to actually
work?

Thanks!

Michael

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards