Configuring the Other VPN Capabilities
So far, in our discussion of the PIX firewall, we have demonstrated its use and configuration as a packet filtration firewall and as a dynamic lookup and translation mechanism that hides the identity of internal machines. In this section we will briefly discuss how to build a virtual private network between two PIX units, thus connecting private networks with the Internet as a transport medium.
Offering Services to the Internet Through Conduits and the static Command
The conduit command is a short-circuit mechanism that lets hosts on the outside network bypass the PIX’s adaptive security mechanism to connect to hosts on the inside network. This isn’t really as scary as it may sound. It is frequently required and actually very normal to punch holes in the firewall for specific, known services, the security of which can be monitored and tested before the hole is opened.
You can put in an exception to the PIX’s adaptive security system either by using the conduit command or as the last parameter of the static command (an example of which is detailed below). But Cisco recommends that the conduit command be used.
Let us say that we have a mail-exchanging Unix host on our outside network (1.251.174.155) and an SMTP/POP host on our inside network (192.168.2.3). We wish to accomplish two things:
Map the address of our internal SMTP server statically to the translation table address 1.241.11.254 (the first one chosen by PIX).
Create a conduit that allows ...
Get Virtual Private Networks, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
