Re: [fw-wiz] PIX access-list help

On Dec 25, 2007 12:25 AM, Paul Melson <pmelson@xxxxxxxxx> wrote:
On Dec 21, 2007 11:02 AM, Brian Blater <brb.lists@xxxxxxxxx> wrote:
So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

The short answer to your question is that PIX access-lists are read,
per-interface, top-to-bottom:

access-list dmz_in deny ip
access-list dmz_in permit ip any
access-group dmz_in in interface dmz

If your internal network is and your DMZ is,
this will prevent traffic from the DMZ to the inside, but allow
everything else.


Ok, I think I understand this a little better now. Say my private
network is and my dmz is I already have
the static (inside,dmz) netmask
which is required in 6.3(3). So, in order to make this work i.e the
inside network has access to everything on the dmz network and the dmz
network can access the internet and I only allow specific
communication from the dmz to the inside I need to do the following:

access-list dmz permit udp host host eq domain
access-list dmz permit tcp host host eq smtp
access-list dmz deny ip
access-list dmz permit ip any

I will also need to add the nonat statements as was suggested by Brandon:

access-list nonat permit ip
access-list nonat permit ip
nat 0 (inside) access-list nonat
nat 0 (dmz) access-list nonat

My only concern here is the 3rd line in the dmz access-list and
whether it will deny communication from the inside network to the dmz
(except dns and smtp), but I will test that when I get home tonight.

Thank you for everyone's help.

firewall-wizards mailing list