Re: [fw-wiz] New to Cisco PIX/ ASA

On 8/1/07, Keith A. Glass <salgak@xxxxxxxxxxxxx> wrote:
Am I correct in my understanding that if I want two-way traffic, traffic is
not blocked to a lower trust level, so I need only write a rule to pass the
traffic between the endpoints from the external interface to the internal
interface, and the reply traffic is taken care of ?? Or do I have to write
a reverse rule, from the internal interface to the external as well ???

PIX/ASA are 'stateful' firewalls meaning that if the initiating SYN
packet is allowed via explicit (or in the case of interface security
levels, implicit) policy, return traffic will be allowed by virtue of
the state table.

I am going to attempt a lousy ASCII diagram because Visio just doesn't
work for mailing lists.

Case 1: Outbound Traffic To Internet

client:1024 ---> Eth0/0(security 100)--Eth1/0(security 0) --->
external web site:80
[ no access-list is needed by default because of security levels,
however specifying one is a good idea for a number of reasons that
probably aren't worth getting into here in this brace]
external web site:80 ---> Eth1/0(security 0)--Eth0/0(security 100)
---> client:1024
[ no access-list is needed for return traffic because this connection
is in the state table. were there no table entry matching client:1024
to webserver:80, this traffic would be dropped just like a NetScreen,
Check Point, SonicWall - but maybe not Gauntlet]

Case 2: Inbound Traffic From Internet
client:1024 ---> Eth1/0(security 0)--Eth0/0(security 100) --->
internal web site:80
[ this requires an access-list and probably also a static nat and more
- read the manual]
internal web site:80 ---> Eth0/0(security 100)--Eth1/0(security 0)
---> client:1024
[ assuming the access-list is in place above, his return traffic is
also allowed because of the state table]

It's also worth mentioning that if you have Internet-facing servers
they belong in a DMZ, which adds an additional level of complexity
(but also security!) here. A good rule of thumb when dealing with
PIX/ASA is to all but ignore the interface security levels and build
explicit access-list rules for all of the traffic you want to allow
and deny. This reduces mistakes and also makes auditing
configurations and analyzing logs easier down the road. It's worth
the effort to do it right right now.

Good luck!
firewall-wizards mailing list

Relevant Pages

  • Re: Problem configuring NAT to share Internet Connection
    ... One of my NICs in the server connect to a DSL ... modem and it connects to internet. ... > interface, that connects to the DSL modem, LAN interface, that connects to ... >> 7.- To connect server to Internet, I create a new network connection. ...
  • Internet thru Cisco 871
    ... SDM wizards and didn't get the internet. ... expected static IP address on the Dialer0 interface but fail ping ... zone security private ... ip http access-class 3 ...
  • Re: Problem configuring NAT to share Internet Connection
    ... This is the IPCONFIG information of the server (where you can see Internet ... interface, that connects to the DSL modem, LAN interface, that connects to ... > 7.- To connect server to Internet, I create a new network connection. ...
  • Re: Access from internal hosts to internal servers using external address
    ... I have a Cisco 386 in a NAT configuration. ... Internal hosts can access the Internet in a NAT'ed fashion ... interface Ethernet0 ...
  • Re: How to read an XML file in Visual C++ 6
    ... I am against it when it actively interferes with my productivity ... I use remote desktop extensively, particularly in the summer, so I can work on all my ... Web mail interface comes ahead of my filters and I get the "raw" messages, ... I have no idea of the quality of the throughput band of your Internet ...