?
Solved

Cisco PIX firewall IOS 6.0(1) - Access-List - traversing inside, outside, and DMZ (250pts)

Posted on 2003-03-24
7
Medium Priority
?
426 Views
Last Modified: 2013-11-16
i'm trying to convert my conduits to acl's but i have issues doing so -- i set my acl's and everything seems to work fine except my dmz boxes can't access the internet. all my acl's regarding the static outside to dmz's work.. ie smpt, www ... if i open them up (access-list acl_dmz permit ip any any), then the security dies and it allows all traffic from the DMZ open to my inside. do i have to open everything on the dmz, then close everything to inside? are acl's not the way to go? email me and i'll send configs if you want to see them
0
Comment
Question by:trent1980
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8200140
Traffic from higher security interface to lower security interface is permitted unless specifically denied, and the response to that traffic is permitted based on an inspection of the state of the request.
i.e. from DMZ to Internet, from Inside to DMZ, and from Inside to Internet
Unsolicited Traffic from lower security to higher security interface is all denied unless specifically permitted.
i.e. from Internet to DMZ or Internet to Inside, or DMZ to Inside, i.e. anonymous web users, email inbound, etc

Remember that the syntax of the acl is backwards from that of a conduit.
access-list <number/name> permit|deny ip|tcp|udp source mask destination mask |eq port

Your Internet_inbound acl could look like this:

name mailhost <publicIP>
name www1 <publicIP>
name Securewww <publicIP>
access-list internet_inbound permit tcp any eq 25 host mailhost eq 25
access-list internet_inbound permit tcp any host www1 eq 80
access-list internet_inbound permit tcp any host Securewww eq 443

access-group internet_inbound in interface outside

it does not matter which interface these servers reside on, the static NAT map will get it to the right interface.

Now, for the DMZ mailhost to forward mail to an inside Exchange server (for example)

access-list DMZ_Inside permit tcp host <mailhost_real_IP> host <ExchangeIP> eq 25
access-group DMZ_Inside in interface DMZ1


0
 

Expert Comment

by:jake90210
ID: 8210531
Thought I would post a couple comments that helped me clear up problems I had when converting a ton of conduits to ACL's (PIX 6.2)

ACL's can only be applied inwards only
- I have an ACL applied to OUTSIDE, for inbound traffic to the DMZ and INSIDE
- I have an ACL applied to DMZ, for inbound traffic to INSIDE
- I have not applied an ACL to INSIDE for obvious (high->low) reasons
- Irmoore is absolutely correct and really study what he says about the ACL's being backwards to conduits, tripped me up a couple of times.
This link helped me
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9e8.html#xtocid5
go to the conduit statement section

- Only create entries for traffic you wish to pass from lower security to higher security (DMZ -> INSIDE) or (OUTSIDE -> DMZ, INSIDE). Don't create permit statements for traffic from DMZ -> OUTSIDE since this is already inherently allowed.
0
 

Author Comment

by:trent1980
ID: 8210735
thanks for the help ... i'll rebuild my acl's today ... here are my conduits .. i'll post my acls when they're done .. i don't ever post on this website, so you can have all my points once the firewall is up and running smoothly ..

conduit permit icmp any any
 
conduit permit tcp host web1 eq www any
conduit permit tcp host web1 eq domain any
conduit permit tcp host web1 eq 554 any
conduit permit tcp host web1 eq 7070 any
conduit permit tcp host web1 eq 22 any
conduit permit tcp host web1 eq smtp any
 
conduit permit tcp host cmr eq 3845 host x.x.x.17
 
conduit permit tcp host es1 eq smtp any
conduit permit tcp host es1 eq www any
conduit permit tcp host es1 eq pop3 any
conduit permit tcp host es1 eq 143 any
conduit permit tcp host es1 eq 443 any

conduit permit tcp host 192.168.100.19 eq 443 host 192.168.255.5
conduit permit tcp host 192.168.100.19 eq smtp host 192.168.255.5
conduit permit tcp host 192.168.100.19 eq 366 host 192.168.255.5

conduit permit udp host 192.168.100.60 eq netbios-ns any
conduit permit tcp host 192.168.100.60 eq 139 any

conduit permit tcp host 192.168.100.17 eq 443 host 192.168.255.5
conduit permit tcp host 192.168.100.17 eq smtp host 192.168.255.5
conduit permit tcp host 192.168.100.17 eq 366 host 192.168.255.5
 
conduit permit tcp host 4.4.4.49 eq smtp any
conduit permit tcp host 4.4.4.49 eq www any

conduit permit tcp host 4.4.4.16 eq smtp any

conduit permit tcp host 4.4.4.3 eq www any

conduit permit udp host 192.168.100.60 eq netbios-dgm any
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 

Expert Comment

by:jake90210
ID: 8210959
I would group by traffic initiated from DMZ into INSIDE (acl-DMZ) and OUTSIDE traffic to INSIDE/DMZ (acl-OUTSIDE), once completed do:
* 'no' on all conduit statements
* access-group acl-DMZ in interface DMZ
* access-group acl-OUTSIDE in interface OUTSIDE
NOTE: You have to specify 'in' even thought that is your only option
 
One final note and I'll shut up. Conduits and ACL's cannot be run at the same time, its one or the other. That is why I use named acl's, much easier/quicker to modify that using access-list 101, etc.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8211187
>ACL's can only be applied inwards only
Just to clarify this statement because it confused me at first -- an acl can still be used to control oubound traffic from the inside LAN, but the acl is applied "in" interface inside.

0
 

Author Comment

by:trent1980
ID: 8211282
the only question i have then is where/what interface do i apply a rule to allow traffic to pass from a DMZ host to our internal pdc for authentication? do i set that on that internal interface to allow traffic "in" from that DMZ box with specified ports or do i set that on the DMZ interface?

10.0.0.0 = dmz
192.168.0.0= inside

if i want to allow all dmz boxes to hit the internet but only 10.0.0.1 to hit 192.168.0.1 on the netbios port.

acl_DMZ permit tcp 10.0.0.1 255.255.255.255 192.168.0.1 255.255.255.255 eq netbios
acl_DMZ in interface inside

???


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 8211433
acl_DMZ in interface dmz
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question