Re: [fw-wiz] PIX access-list help



Easiest thing to remember is any communication is allowed from a higher
security interface to a lower security one (inside to outside, inside to
DMZ, DMZ to outside) unless explicitly prevented.

Next thing is to remember the application of ACLs is from the physical
interface's perspective.

You create an ACL and apply it either in or out of the interface.

Preventing packets from leaving that network, ie coming "in" to the
interface, are applied "access-group in interface blah".

To prevent packets from entering that network, ie going "out" to that
interface, are applied "access-group out interface blah".

Allowing packets from the Internet to a DMZ host requires two items:
A "static" configuration line mapping for the outside IP & port to the
internal IP & port.
A inbound ACL applied "in" on the outside interface.

In your particular case it sounds like a minor change of your ACL and
the application in the opposite direction on the DMZ interface would fix
the problem.

Some examples:
static (DMZ,outside) tcp 22.22.22.22 http 10.10.10.10 http netmask
255.255.255.255 0 0
static(DMZ, outside) tcp 22.22.22.23 smtp 10.10.10.11 smtp netmask
255.255.255.255 0 0
access-list inbound permit tcp any 22.22.22.22 eq http
access-list inbound permit tcp any 22.22.22.23 eq smtp
access-group inbound in interface outside
(allow web access to 22.22.22.22 & SMTP to .23 from the Internet)

access-list DMZ-to-inside permit tcp host 10.10.10.11 192.168.1.11 eq
smtp
access-group DMZ-to-inside in interface DMZ
(allow SMTP from DMZ-10.10.10.11 to inside-192.168.1.11)

To prevent outbound from the inside network to either Internet or DMZ
you can apply an ACL "out" on the inside interface.

access-list inside-out permit any any eq http
access-list inside-out permit any any eq 443
access-list inside-out permit any 192.168.1.11 eq smtp
access-group inside-out in interface inside
(This will only allow outbound HTTP/S & SMTP to either the Internet or
DMZ)

You can also help lock-down any packet leakage by applying an outbound
ACL to our outside interface to allow only what you want leaving your
network.

Remembering to do both sides of the firewall is a good security practice
overall.

HTH,
Brandon

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Brian Blater
Sent: Friday, December 21, 2007 11:02 AM
To: FW Wiz
Subject: [fw-wiz] PIX access-list help

I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Help! DMZ on Pix515
    ... I was of course missing static routes to the DMZ. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] PIX 515 7.1 vs: 8.0
    ... to assign an address to anything connected to those interfaces (dmz ... DHCPD and internet access, but even if I try the same ACLs and statics ... interface Ethernet0 ... access-group outside in interface outside ...
    (Firewall-Wizards)
  • Re: Help! DMZ on Pix515
    ... I can't reach anything on the DMZ from the outside. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX 515 7.1 vs: 8.0
    ... Or the dhcpd enable: ... to assign an address to anything connected to those interfaces (dmz ... interface Ethernet0 ... access-group outside in interface outside ...
    (Firewall-Wizards)
  • [fw-wiz] Double firewall setup (long)
    ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
    (Firewall-Wizards)