?
Solved

Cisco PIX firewall IOS 6.0(1) - Access-List - traversing inside, outside, and DMZ (250pts)

Posted on 2003-03-24
7
Medium Priority
?
421 Views
Last Modified: 2013-11-16
i'm trying to convert my conduits to acl's but i have issues doing so -- i set my acl's and everything seems to work fine except my dmz boxes can't access the internet. all my acl's regarding the static outside to dmz's work.. ie smpt, www ... if i open them up (access-list acl_dmz permit ip any any), then the security dies and it allows all traffic from the DMZ open to my inside. do i have to open everything on the dmz, then close everything to inside? are acl's not the way to go? email me and i'll send configs if you want to see them
0
Comment
Question by:trent1980
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8200140
Traffic from higher security interface to lower security interface is permitted unless specifically denied, and the response to that traffic is permitted based on an inspection of the state of the request.
i.e. from DMZ to Internet, from Inside to DMZ, and from Inside to Internet
Unsolicited Traffic from lower security to higher security interface is all denied unless specifically permitted.
i.e. from Internet to DMZ or Internet to Inside, or DMZ to Inside, i.e. anonymous web users, email inbound, etc

Remember that the syntax of the acl is backwards from that of a conduit.
access-list <number/name> permit|deny ip|tcp|udp source mask destination mask |eq port

Your Internet_inbound acl could look like this:

name mailhost <publicIP>
name www1 <publicIP>
name Securewww <publicIP>
access-list internet_inbound permit tcp any eq 25 host mailhost eq 25
access-list internet_inbound permit tcp any host www1 eq 80
access-list internet_inbound permit tcp any host Securewww eq 443

access-group internet_inbound in interface outside

it does not matter which interface these servers reside on, the static NAT map will get it to the right interface.

Now, for the DMZ mailhost to forward mail to an inside Exchange server (for example)

access-list DMZ_Inside permit tcp host <mailhost_real_IP> host <ExchangeIP> eq 25
access-group DMZ_Inside in interface DMZ1


0
 

Expert Comment

by:jake90210
ID: 8210531
Thought I would post a couple comments that helped me clear up problems I had when converting a ton of conduits to ACL's (PIX 6.2)

ACL's can only be applied inwards only
- I have an ACL applied to OUTSIDE, for inbound traffic to the DMZ and INSIDE
- I have an ACL applied to DMZ, for inbound traffic to INSIDE
- I have not applied an ACL to INSIDE for obvious (high->low) reasons
- Irmoore is absolutely correct and really study what he says about the ACL's being backwards to conduits, tripped me up a couple of times.
This link helped me
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9e8.html#xtocid5
go to the conduit statement section

- Only create entries for traffic you wish to pass from lower security to higher security (DMZ -> INSIDE) or (OUTSIDE -> DMZ, INSIDE). Don't create permit statements for traffic from DMZ -> OUTSIDE since this is already inherently allowed.
0
 

Author Comment

by:trent1980
ID: 8210735
thanks for the help ... i'll rebuild my acl's today ... here are my conduits .. i'll post my acls when they're done .. i don't ever post on this website, so you can have all my points once the firewall is up and running smoothly ..

conduit permit icmp any any
 
conduit permit tcp host web1 eq www any
conduit permit tcp host web1 eq domain any
conduit permit tcp host web1 eq 554 any
conduit permit tcp host web1 eq 7070 any
conduit permit tcp host web1 eq 22 any
conduit permit tcp host web1 eq smtp any
 
conduit permit tcp host cmr eq 3845 host x.x.x.17
 
conduit permit tcp host es1 eq smtp any
conduit permit tcp host es1 eq www any
conduit permit tcp host es1 eq pop3 any
conduit permit tcp host es1 eq 143 any
conduit permit tcp host es1 eq 443 any

conduit permit tcp host 192.168.100.19 eq 443 host 192.168.255.5
conduit permit tcp host 192.168.100.19 eq smtp host 192.168.255.5
conduit permit tcp host 192.168.100.19 eq 366 host 192.168.255.5

conduit permit udp host 192.168.100.60 eq netbios-ns any
conduit permit tcp host 192.168.100.60 eq 139 any

conduit permit tcp host 192.168.100.17 eq 443 host 192.168.255.5
conduit permit tcp host 192.168.100.17 eq smtp host 192.168.255.5
conduit permit tcp host 192.168.100.17 eq 366 host 192.168.255.5
 
conduit permit tcp host 4.4.4.49 eq smtp any
conduit permit tcp host 4.4.4.49 eq www any

conduit permit tcp host 4.4.4.16 eq smtp any

conduit permit tcp host 4.4.4.3 eq www any

conduit permit udp host 192.168.100.60 eq netbios-dgm any
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Expert Comment

by:jake90210
ID: 8210959
I would group by traffic initiated from DMZ into INSIDE (acl-DMZ) and OUTSIDE traffic to INSIDE/DMZ (acl-OUTSIDE), once completed do:
* 'no' on all conduit statements
* access-group acl-DMZ in interface DMZ
* access-group acl-OUTSIDE in interface OUTSIDE
NOTE: You have to specify 'in' even thought that is your only option
 
One final note and I'll shut up. Conduits and ACL's cannot be run at the same time, its one or the other. That is why I use named acl's, much easier/quicker to modify that using access-list 101, etc.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8211187
>ACL's can only be applied inwards only
Just to clarify this statement because it confused me at first -- an acl can still be used to control oubound traffic from the inside LAN, but the acl is applied "in" interface inside.

0
 

Author Comment

by:trent1980
ID: 8211282
the only question i have then is where/what interface do i apply a rule to allow traffic to pass from a DMZ host to our internal pdc for authentication? do i set that on that internal interface to allow traffic "in" from that DMZ box with specified ports or do i set that on the DMZ interface?

10.0.0.0 = dmz
192.168.0.0= inside

if i want to allow all dmz boxes to hit the internet but only 10.0.0.1 to hit 192.168.0.1 on the netbios port.

acl_DMZ permit tcp 10.0.0.1 255.255.255.255 192.168.0.1 255.255.255.255 eq netbios
acl_DMZ in interface inside

???


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 8211433
acl_DMZ in interface dmz
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question