Re: [fw-wiz] PIX access-list help

Easiest thing to remember is any communication is allowed from a higher
security interface to a lower security one (inside to outside, inside to
DMZ, DMZ to outside) unless explicitly prevented.

Next thing is to remember the application of ACLs is from the physical
interface's perspective.

You create an ACL and apply it either in or out of the interface.

Preventing packets from leaving that network, ie coming "in" to the
interface, are applied "access-group in interface blah".

To prevent packets from entering that network, ie going "out" to that
interface, are applied "access-group out interface blah".

Allowing packets from the Internet to a DMZ host requires two items:
A "static" configuration line mapping for the outside IP & port to the
internal IP & port.
A inbound ACL applied "in" on the outside interface.

In your particular case it sounds like a minor change of your ACL and
the application in the opposite direction on the DMZ interface would fix
the problem.

Some examples:
static (DMZ,outside) tcp http http netmask 0 0
static(DMZ, outside) tcp smtp smtp netmask 0 0
access-list inbound permit tcp any eq http
access-list inbound permit tcp any eq smtp
access-group inbound in interface outside
(allow web access to & SMTP to .23 from the Internet)

access-list DMZ-to-inside permit tcp host eq
access-group DMZ-to-inside in interface DMZ
(allow SMTP from DMZ- to inside-

To prevent outbound from the inside network to either Internet or DMZ
you can apply an ACL "out" on the inside interface.

access-list inside-out permit any any eq http
access-list inside-out permit any any eq 443
access-list inside-out permit any eq smtp
access-group inside-out in interface inside
(This will only allow outbound HTTP/S & SMTP to either the Internet or

You can also help lock-down any packet leakage by applying an outbound
ACL to our outside interface to allow only what you want leaving your

Remembering to do both sides of the firewall is a good security practice


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Brian Blater
Sent: Friday, December 21, 2007 11:02 AM
To: FW Wiz
Subject: [fw-wiz] PIX access-list help

I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
firewall-wizards mailing list

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

firewall-wizards mailing list