Re: [fw-wiz] PIX access-list help



if you want access to the internet to from any interface you need to
allow all traffic on the typical ports 80 and 443 and then deny
traffic to internal subnets/hosts that should be denied. The other
way to do this is to do a policy nat on the inside and allow only
traffic you want to be translated and all other traffic will just be
dropped. The latter will cause more cpu to used verse it just being
denied by an access list. Hope this helps. If you need more help
then post a sanitized copy of your acls and translations.

Kevin

On Dec 21, 2007 11:02 AM, Brian Blater <brb.lists@xxxxxxxxx> wrote:
I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Back firewall wont pass traffic...
    ... know what the address range of the DMZ is supposed to be. ... the ISA treats your other interface as external. ... network to be routed to the gateway on the DMZ and on to the internet. ...
    (microsoft.public.isa)
  • Re: [fw-wiz] PIX access-list help
    ... Easiest thing to remember is any communication is allowed from a higher ... DMZ, DMZ to outside) unless explicitly prevented. ... You create an ACL and apply it either in or out of the interface. ... are applied "access-group out interface blah". ...
    (Firewall-Wizards)
  • Re: DMZ Configuration
    ... >by our internet provider. ... >On the trust interface it has a private ip. ... >i would like to use the DMZ. ... Break your netblock into two netblocks, ...
    (comp.security.firewalls)
  • DMZ Question with 2 internet connections
    ... I'm looking at setting up a DMZ for the first time and I need some ... I have a connection to the internet that gives me a public IP address ... for my webserver, I'll be adding a separate database server to talk to ... interface for internal net ...
    (comp.security.firewalls)
  • Re: DMZ Configuration
    ... static NAT through to the machine on the DMZ from the firewall. ... We always had to use a seperate private IP address and use the ... >> I have an internet connection on a leased line, ... >> It has on the untrust interface a public ip (1 of that assigned by our ...
    (comp.security.firewalls)