Specifications
2-3
PIX 515E Security Appliance Getting Started Guide
78-17645-01
Chapter 2 Scenario: DMZ Configuration
Example DMZ Network Topology
Figure 2-2 Outgoing HTTP Traffic Flow from the Private Network
In Figure 2-2, the security appliance permits HTTP traffic originating from inside
clients and destined for both the DMZ web server and devices on the Internet. To
permit the traffic through, the security appliance configuration includes the
following:
• Access control rules permitting traffic destined for the DMZ web server and
for devices on the Internet.
• Address translation rules translating private IP addresses so that the private
addresses are not visible to the Internet.
For traffic destined for the DMZ web server, private IP addresses are
translated to an address from an IP pool.
For traffic destined for the Internet, private IP addresses are translated to the
public IP address of the security appliance. Outgoing traffic appears to come
from this address.
Figure 2-3 shows HTTP requests originating from the Internet and destined for
the public IP address of the DMZ web server.
153777
Internet
HTTP client
HTTP client
HTTP client
Security
Appliance
HTTP request
DMZ network
DMZ Web
Server
Private IP address: 10.30.30.30
Public IP address: 209.165.200.226
Internal IP address
translated to address
from IP pool
Internal IP address
translated to address
of outside interface
10.10.10.0
(private address)
outside interface
209.165.200.225
(public address)
HTTP request