[fw-wiz] RE: PIX 520 - control traffic between DMZ and inside devices

From: Eye Am (eyeam@optonline.net)
Date: 12/30/02 

From: Eye Am <eyeam@optonline.net>
To: firewall-wizards@honor.icsalabs.com
Date: Mon Dec 30 19:42:01 2002

Well, I'd like to thank everyone here for their guidance and input. We
managed to get everything configured to do what we want. One change that
occurred was that we need unlimited access for traffic initiated on the
inside interface destined for the DMZ (Access shares etc.) BUT we need to
limit access for traffic initiated in the DMZ to only certain machines/ports
on the inside (ie. a website accessing an MSSQL server.)

Here's what we did:

PIX config

access-list 110 permit ip my.PRIVATE.net.0 255.255.255.0 my.DMZ.net.0
255.255.255.0
nat (inside) 0 access-list 110

# Allows unlimited traffic originated in PRIVATE destined for DMZ

access-list dmz_in permit ip my.DMZ.net.0 255.255.255.0 host
my.PRIVATE.net.22
# Inside DNS Server
access-list dmz_in permit tcp host my.DMZ.net.37 host my.PRIVATE.net.9 eq
1433
access-list dmz_in permit tcp host my.DMZ.net.61 host my.PRIVATE.net.9 eq
1433
access-list dmz_in permit tcp host my.DMZ.net.60 host my.PRIVATE.net.9 eq
1433
# DMZ device to inside MSSQL server
access-list dmz_in permit icmp any any
# Permit PING
access-group dmz_in in interface DMZ

## Controls traffic initiated by DMZ devices destined for inside

static (inside,DMZ) my.PRIVATE.net.0 my.PRIVATE.net.0 netmask 255.255.255.0
0 0

# Static mapping for entire PRIVATE Class C to DMZ (This was the part I
never saw before - static mapping of the same address space in two
interfaces. Loosely equated to Global and NAT I beleive.

MSM Config

conf t
no access-list 101
access-list 101 permit ip my.PRIVATE.net.0 255.255.255.255 my.DMZ.net.0
255.255.255.255
route-map testdmz permit 10
 match ip address 101
 set ip next-hop my.PRIVATE.net.15
interface Vlan100
 ip policy route-map testdmz

# Created gateway for traffic originating on the inside interface destined
for the DMZ, in addition to the normal inside default gateway that sends
traffic to the outside (Internet) from inside to DMZ.

Relevant Pages

  • Re: Help! DMZ on Pix515
    ... I was of course missing static routes to the DMZ. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: Help! DMZ on Pix515
    ... I can't reach anything on the DMZ from the outside. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX access-list help
    ... Easiest thing to remember is any communication is allowed from a higher ... DMZ, DMZ to outside) unless explicitly prevented. ... You create an ACL and apply it either in or out of the interface. ... are applied "access-group out interface blah". ...
    (Firewall-Wizards)
  • Re: NAT/PAT not working in PIX 515
    ... When you go from a higher security interface to a lower security ... interface, by default the *destination* IPs do not get NAT'd but the source IPs ... Therefore in order to access the DMZ from the ... access-group acl-out in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: PIX access-list and security-level question
    ... apply outbound access-list in inside interface ... access-list inside permit tcp host 2.2.2.50 host 3.3.3.50 eq 514 ... access-group inside out interface inside ... this should allow all traffic from dmz to internet, ...
    (comp.dcom.sys.cisco)