Re: [fw-wiz] PIX access-list help

Brian, as you stated in version 6.x you cannot have outbound ACLs.

"allow all communication from the dmz to the internet"

This can be done by the ACL you suggested:

access-list dmz permit ip <dmz-subnet> <dmz-subnet-mask><http://192.168.1.1/>any

If you don't want certain or all DMZ hosts to initiate traffic to the
inside, you can add some deny ACLs on top of the above access-list, the
access-list is processed in the order you define 'em. The 'show access-list'
command would should you these line numbers E.g. the beloe ACL denies DMZ
host 192.168.1.1 from going to the inside host 10.10.10.10. But it can go
everywhere else...

access-list dmz line 1 extended deny ip host 192.168.1.1 host 10.10.10.10
access-list dmz line 2 extended permit ip host 192.168.1.1 any

Regarding you statement:

"inside cannot talk to the dmz because of the implicit
deny of the access list."

I really don't think this is true :). Which implicit deny are you talking
about here? You never applied an access-list on the inside interface. Lets
says inside user 10.10.10.5 wants to speak to DMZ host 192.168.1.5, what
really is required?

At least a dynamic NAT (since its version 6.x and there is nat-control).
Static NAT, identity NAT etc. would also work....

Since its Higher to Lower, there is Default Implicit Permit.

All traffic that the firewall can 'inspect' will be allowed back by virtue
of the state table (the DMZ ACL would not be check here sine this would be
'returning traffic' ).....However if you are running a protocol that uses
'embedding' to hide IP/Ports etc. (like most MultiMedia apps) or you are
using a protocol like FTP/TFTP/XDMCP that does not behave in a symmetric
manner (in terms of flows), you need to firewall to do 'fixup' for that
particular protocol. If you were using normal pings to check, just make sure
you are inspecting icmp 'fixup protocol icmp'.

Regards

Farrukh



On Dec 21, 2007 7:02 PM, Brian Blater <brb.lists@xxxxxxxxx> wrote:

I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Packet Filter Setting
    ... Set up of a Web server in a DMZ? ... Internet ip xxx.xxx.xxx.xxx ... Permit: ICMP "groupLAN" => any host ...
    (comp.security.firewalls)
  • Re: [fw-wiz] PIX access-list help
    ... if you want access to the internet to from any interface you need to ... outside, inside, dmz. ... dmz can talk to the internet just fine and the inside can talk to the ... inside mail server I no longer have communication to the internet from ...
    (Firewall-Wizards)
  • RE: Re: Re: VM Host with guests on the Internal and DMZ networks
    ... So are you saying that you should put your HOST in the DMZ. ... NIC and then add and IP Address that would work on the inside network while ... I would question the sysadmins level of competency. ...
    (Security-Basics)
  • Re: DMZ Arguments....
    ... A DMZ is used with a firewall, ... link to the rest of the network. ... A common approach for an attacker is to break into a host that's vulnerable ... the case of a web server, unauthenticated and untrusted users might be ...
    (Security-Basics)
  • [NEWS] SMC Barricades Dodgy "DMZ" Feature
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... hosts in a DMZ should not be ... able to initiate connections to internal LAN hosts. ... DMZ host be compromised (from having its connected-to-from-the-internet ...
    (Securiteam)