PIX Access-list Inbond rule
Hi guys,
I need to understand the inbond rules from low security level to high security level.
Hardware PIX 7.2(1) ASDM
Here is my problem..
Public
Network A 50(Security Level) Host A
Network B 80(Security level) Host B
So by default Host B >>>>>>HTTP>>>Host A. GOOD No Problems
What i have to do to access the Host A >>>>Http>>>Host B.
I created the access list on Interface B (Inbond)
Host A to Host B Port Http
But this doesnt work??? Why..
And also after creating that rule i cant access the Host A from Host B, The above rule is changing the Implesit rule..
Can any one please explain. Why?
regards
Naren
I need to understand the inbond rules from low security level to high security level.
Hardware PIX 7.2(1) ASDM
Here is my problem..
Public
Network A 50(Security Level) Host A
Network B 80(Security level) Host B
So by default Host B >>>>>>HTTP>>>Host A. GOOD No Problems
What i have to do to access the Host A >>>>Http>>>Host B.
I created the access list on Interface B (Inbond)
Host A to Host B Port Http
But this doesnt work??? Why..
And also after creating that rule i cant access the Host A from Host B, The above rule is changing the Implesit rule..
Can any one please explain. Why?
regards
Naren
ASKER
OK Here is the situation
Interface Public 0 (Security level)
Interface LowSec 50 (Internal Network 10.20.0.0)
Interface HighSec 80 (Internal Network 10.30.0.0)
Interface VeryHigh 90 (Internal Network 10.40.0.0)
Is it MUST to create the Static NAT to access low sec network to High Sec network ???
They are internal Networks right, then why NAT for them???
Cant they be done with just the access rules????
regards
Naren
Interface Public 0 (Security level)
Interface LowSec 50 (Internal Network 10.20.0.0)
Interface HighSec 80 (Internal Network 10.30.0.0)
Interface VeryHigh 90 (Internal Network 10.40.0.0)
Is it MUST to create the Static NAT to access low sec network to High Sec network ???
They are internal Networks right, then why NAT for them???
Cant they be done with just the access rules????
regards
Naren
ASKER
and also what about the statful inspection from Low Sec interface to High sec interface???
If i dont have that again, i have to create the access-list from the replys rite???
how can this be achieved in the best way using the stateful inspcetion???
If i dont have that again, i have to create the access-list from the replys rite???
how can this be achieved in the best way using the stateful inspcetion???
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Stateful inspection is again done by the access-lists. Traffic flowing from Low Sec Interface to High Sec Interface WILL NOT pass through the PIX unless you have the access-lists defined, correct ?
For example if I create a static exception like this;
static (inside, outside) <PublicIP> <InternalIP> netmask 255.255.255.255
Just with this command, will the traffic flow from outside to inside ? No. It will be accompanied by an access-list which states, ok a hole is done now what is that you want to allow through this. So I go again and configure;
access-list <name> permit tcp any PUBLICIP eq 25
access-group <name> in interface outside
This will make sure that only traffic for smtp will go through it. Also, how ASA (PIX's algorithm) works is based on a hybrid firewall. It is an application proxy + packet filter. So any tcp connection going through PIX will split into 2 connections. Source to PIX & PIX to destination. Once the necessary steps on inspection is done then it will be allowed to be stitched.
Cheers,
Rajesh
For example if I create a static exception like this;
static (inside, outside) <PublicIP> <InternalIP> netmask 255.255.255.255
Just with this command, will the traffic flow from outside to inside ? No. It will be accompanied by an access-list which states, ok a hole is done now what is that you want to allow through this. So I go again and configure;
access-list <name> permit tcp any PUBLICIP eq 25
access-group <name> in interface outside
This will make sure that only traffic for smtp will go through it. Also, how ASA (PIX's algorithm) works is based on a hybrid firewall. It is an application proxy + packet filter. So any tcp connection going through PIX will split into 2 connections. Source to PIX & PIX to destination. Once the necessary steps on inspection is done then it will be allowed to be stitched.
Cheers,
Rajesh
ASKER
Thanks fro the prompt responce Rajesh.
I am understanding bit better now! Thanks
1 Last question.
We have nearly 10 internal networks.
If i make the all these at same security level and (select option to allow communications between the same security level then, i can control the traffice just by accesslist rite.(offcource by default i will put deny any any at the end for each group).
This way there is no need for the NAT rite?
and offcource its not secured.
and If i make the all these at same security level and select the option NOT to allow to communicate between the same security level) then again i have to use the NAT on both interfaces rite??
regards
Naren
I am understanding bit better now! Thanks
1 Last question.
We have nearly 10 internal networks.
If i make the all these at same security level and (select option to allow communications between the same security level then, i can control the traffice just by accesslist rite.(offcource by default i will put deny any any at the end for each group).
This way there is no need for the NAT rite?
and offcource its not secured.
and If i make the all these at same security level and select the option NOT to allow to communicate between the same security level) then again i have to use the NAT on both interfaces rite??
regards
Naren
I have never tried to assign same security level for 2 interfaces. But if pix allows you to do that then it will be as you are asking for.
Cheers,
Rajesh
Cheers,
Rajesh
> If i make the all these at same security level and select the option NOT to allow to communicate between the same security level) then again i have to use the NAT on both interfaces rite??
PIX 7.x give you some options here.
Either you allow communications between interfaces of same security level - or you don't.
The primary rule with PIX is no communications at all between same security level. Version 7 gives you a binary switch for that.
If you do allow traffic between same security levels, I don't think you need to nat, but I'll have to check that out.
There is a global "nat control" on/off switch. If you disable nat control then you do not have to use any nat/global rules. Each interface would be expected to have its own Public IP subnet.
PIX 7.x give you some options here.
Either you allow communications between interfaces of same security level - or you don't.
The primary rule with PIX is no communications at all between same security level. Version 7 gives you a binary switch for that.
If you do allow traffic between same security levels, I don't think you need to nat, but I'll have to check that out.
There is a global "nat control" on/off switch. If you disable nat control then you do not have to use any nat/global rules. Each interface would be expected to have its own Public IP subnet.
ASKER
Thanks for the comment Irmoore,
There are 2 switches on 7.21
1. Allow communications without NAT.
If this switch is ON then the PIX is allowing the communications from Low Security level to High Security level, just by the Inbond Access Rule at the Low Security level Interface..
2. Allow communication between the interfaces with same securtity level.
Here the problem is
If ON.
It is allowing the Communications by default without any access-rules.
May be I have to use some deny rules at the end for each interface.
I believe this will be a BIG security hole.
if OFF
it is denying the communications between the interfaces,
However i have a problem.
If i use the Inbond Allow access-rule in the source interface, then its still NOT allowing the communications.
and off-cource this rule is above the deny rule.
I was wondering how to use the access-rules to allow the traffic in this scenario.
regards
Naren
There are 2 switches on 7.21
1. Allow communications without NAT.
If this switch is ON then the PIX is allowing the communications from Low Security level to High Security level, just by the Inbond Access Rule at the Low Security level Interface..
2. Allow communication between the interfaces with same securtity level.
Here the problem is
If ON.
It is allowing the Communications by default without any access-rules.
May be I have to use some deny rules at the end for each interface.
I believe this will be a BIG security hole.
if OFF
it is denying the communications between the interfaces,
However i have a problem.
If i use the Inbond Allow access-rule in the source interface, then its still NOT allowing the communications.
and off-cource this rule is above the deny rule.
I was wondering how to use the access-rules to allow the traffic in this scenario.
regards
Naren
ASKER
Irmoore,
Could you please re-open the Question,
I want to Increase the Points to 500, and offcource distribute 300 to Rajesh and 200 will be kept Open.
regards
Naren
Could you please re-open the Question,
I want to Increase the Points to 500, and offcource distribute 300 to Rajesh and 200 will be kept Open.
regards
Naren
Host A side : 10.10.10.x
Host B side : 20.20.20.x
Both with mask 255.255.255.0
You need to have a static like;
static (int, int) 20.20.20.x 20.20.20.x netmask 255.255.255.0
Then along with this, the access-list will allow. Basically this will allow the 'low security end side' to SEE the 'high security end side'. Either you can do for the whole network or individual hosts.
Cheers,
Rajesh