Solved

Cisco PIX DMZ ACL to specific interfaces

Posted on 2004-04-15
13
1,836 Views
Last Modified: 2013-11-16
I would like to permit icmp echo-reply, time-exceeded, and unreachable to the inside and permit any ip to the outside int from the dmz.

Current config (doesn't work as it should), syntax problem?

access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 int inside echo-reply
access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 int inside time-exceeded
access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 int inside unreachable
access-list inbound-dmz permit ip 10.105.142.0 255.255.255.128 int outside
access-group inbound-dmz in int dmz

If I remove the acl everything works as it should (other than icmp destined for the inside for obvious reasons).  I basically just want to be able to ping and traceroute to my dmz hosts and allow the dmz to talk to the lower level outside int as it did before the acl was applied.



0
Comment
Question by:vedd
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10833932
Try this way:
Assuming that your DMZ subnet = 10.105.142.0 255.255.255.128
and Inside subnet (example) = 10.10.10.0 255.255.255.0

access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 10.10.10.0 255.255.255.0 echo-reply
access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 10.10.10.0 255.255.255.0 time-exceeded
access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 10.10.10.0 255.255.255.0 unreachable
access-list inbound-dmz permit ip 10.105.142.0 255.255.255.128 any
access-group inbound-dmz in int dmz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10833952
Are you natting between inside/DMZ?

Try
access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 any echo-reply
access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 any time-exceeded
access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 any unreachable

access-group inbound-dmz in int dmz
0
 

Author Comment

by:vedd
ID: 10834219
Yes, we're natting between the inside and dmz.

If I were to use either of the above examples, would I not be allowing any to the inside int as well?  Is there a way to define the permissions based on going towards a specific interface?

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 10836975
You have to keep in mind the security levels of interfaces on a PIX.
Inside is higher than dmz
dmz is higher than outside

All traffic from high to low (inside to dmz, dmz to outside) is permitted emplicitly by default, and the stateful inspection adaptive security algorythm permits the return traffic back in.
All unsolicited traffic from low to high (outside to dmz or inside, dmz to inside) is blocked by default unless/until it is expressly permitted with an access-list or conduit and an xlate (static or otherwise)
Unless you have a static xlate between the dmz and the inside, no traffic will pass from dmz to inside even with a permit ip any any line in the acl applied to the dmz interface.

Typically when dealing with traffic between the inside interface and the DMZ interface, we exempt it from nat using a nat zero acl, then use specific access-lists to control the traffic between them.
Example:
Inside LAN = 10.10.10.0
DMZ LAN = 10.20.20.0
access-list nat_zero permit 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
nat (inside,dmz) access-list nat_zero
access-list inbound-dmz permit icmp 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 echo-reply
access-list inbound-dmz permit icmp                   "                                                  time-exceeded
access-list inbound-dmz permit icmp                   "                                                  unreachable
access-list inbound-dmz permit tcp 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255 eq 445
<etc>
access-group inbound-dmz in interface dmz

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10840834
Taking a step back, you apply access-lists INTO interfaces, so to allow access from the DMZ to the outside, you need to apply an access-list into the DMZ interface.
I would do things like this to allow access from the DMZ to the Internet (which is 'any' in this case):

access-list inbound-dmz permit icmp 10.105.142.0 255.255.255.128 any
access-list inbound-dmz permit ip 10.105.142.0 255.255.255.128 any
access-group inbound-dmz in int dmz

Using 'any' will not allow traffic to pass inside, as the inside is protected by the top security level of 100.

We need to see the WHOLE config in order to assist here - we could be missing something...    and more points please, I need to catch up with lrmoore...  ;)
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10842565
Ok guys.....I hate to point out the obvious....but here goes.....
Like Lrmore points out the pix allows traffic to flow automatically from a higher to a lower security.....all there has to be is a NAT, PAT, or a static.....
However to allow traffic to flow from lower to Higher you must have a STATIC and an Access-list....
the problem is that the second you apply an access-list to any interface there is an emplicit DENY ALL at the end of the access list.....this is why he is not getting to the internet.....
So for this to work all he needs to add is a statement....depending on what he wants to do...at the end of his access-list....that sayes.....
access-list inbound-dmz permit ip any any


access-list inbound-dmz permit icmp 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 echo-reply
access-list inbound-dmz permit icmp                   "                                                  time-exceeded
access-list inbound-dmz permit icmp                   "                                                  unreachable
access-list inbound-dmz permit ip any any

Remember that the access-list is only applied to traffic that hits the dmz interface first...the IP any any will only apply to traffic leaving the DMZ interface....not traffic on the outside....

If he wants to deny traffic to the inside from the dmz then he does this

access-list inbound-dmz permit icmp 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 echo-reply
access-list inbound-dmz permit icmp                   "                                                  time-exceeded
access-list inbound-dmz permit icmp                   "                                                  unreachable
access-list inbound-dmz deny ip any [inside ip address range]
access-list inbound-dmz permit ip any any

Anyway......

Personally I would use the ICMP command...and leave the access-list off the dmz interface.....

icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any echo-reply dmz
icmp permit any unreachable dmz
icmp permit any time-exceeded dmz

Much easier this way......

Here is a link to the command reference on this command
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574

Just my 2 cents....
Good Luck......
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Expert Comment

by:hawgpig
ID: 10842830
If you must do this via an access-list here is what you need....
first you must static your internal network to the DMZ as IT'S SELF!!
static (inside,dmz) [inside ip address, and mask] [inside ip address, and range]
static (inside,dmz) 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 (assuming of course the inside range is 10.10.10.0)
this will build a translation.....you must use a static!
you will then need to build your access-list.....
I would not use the term inbound-dmz...this is confusing since the you are actually applying the access list to all dmz  traffic......in other words any traffic that hits the dmz interface going out or in gets the rules applied....
So I would do this
(where 10.10.20.0 is the dmz subnet and 10.10.10.0 is the inside subnet....
access-list dmz permit icmp 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0 echo-reply
access-list dmz permit icmp 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0 time-exceeded
access-list dmz permit icmp 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0 unreachable
access-list dmz deny ip any 10.10.10.0 255.255.255.0 (this will stop all other traffic from getting to the inside network incase the dmz is compromized)
access-list dmz permit ip any any (this will allow all other traffic to the internet that is not explicit in the access-list above)
THIS LAST LINE MUST BE HERE TO ALLOW INTERNET TRAFFIC OUT

apply the access-list to the dmz interface
access-group dmz in interface dmz

and this should work.....
Good Luck!!




0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10842876
hawgpig, FYI
>static (inside,dmz) [inside ip address, and mask] [inside ip address, and range]

This syntax has been deprecated in Ver 6.x in favor of using nat zero and no_nat access-list as shown in an example in my post of 04/15/2004 03:56PM CDT



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10842877
hawgpig, FYI
>static (inside,dmz) [inside ip address, and mask] [inside ip address, and range]

This syntax has been deprecated in Ver 6.x in favor of using nat zero and no_nat access-list as shown in an example in my post of 04/15/2004 03:56PM CDT



0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10843269
lrmoore,
   I know you have a lot of knowledge of the PIX.....and I am not going to dismiss your ideas about NAT 0, But one thing I saw over and over again while I worked for cisco TAC on the pix firewall team (for 1 1/2 years) was NAT 0 Mess up more connections than anything else.....NAT 0 issues were the number one CONNECTION problems that we saw on the team......I know the "papers" say to use NAT 0, BUT DON'T......Use the statics and the access-lists like you have in the past.......until the issues get resolved....possibly 6.4(x).
NAT 0 Causes all kinds of connection problems.....specially when people try to use it to the ouside.....or for replies like ICMP....Connections will get lost....and the connection has to start from the higher security interface for NAT 0 To work correctly....and then it doesn't always work.
If you are using it, it is just a matter of time before you run into one of these issues......and you will think the config is right but you will have all kinds of connection problems.....
If you are using it and it is working.....GREAT! Just be aware of the issues with NAT 0....
...because solving a NAT 0 issue is seriously TIME CONSUMING!! Specially if you think that NAT 0 always works correctly.
NAT 0 should only be used with VPN.....at this point....

Cheers


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10846121
Thanks for the tip, hawgpig!
It really does make more sense to have the static (inside,dmz) subnet statement than the nat0 acl, but I never questioned it, nor had any problems with it, at least none that I'm aware of.
It makes perfect sense to use the nat 0 for VPN traffic, and static for inside<->dmz traffic. Can you use both types of statements at the same time if you have both situations?
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10851537
You can....but nat 0 takes precidence....basically when the pix looks at rules it looks:
first......static
then......Nat
Then PAT....
unless NAT 0 is present...then it looks at NAT 0 first...
This is what can cause issues.....as I understand and it was explained to me....
Since I am not a VPN expert....I only worked on PIX specific issues.
I can't say exactly what happens with the VPN
But this is what I understand....
When traffic hits the pix the pix looks to see if there is a NAT 0 statement for the VPN First....
Since the PIX does not distiquish (right now) the non-VPN and the VPN Nat 0 statements it looks at NAT 0 first....
Then i goes throught the regular checks...Static NAT, NAT, PAT....
I know this sounds crazy....but this is what I was told....and it works...
Everytime there were external connetion issues and the PIX had a non-VPN NAT 0 statement.....
The if we changed the NAT 0 to a static and applied an access-list to the correct interface...
It would solve the problems every time...
But we would also see configs come in with the NAT 0 statements that seemed to work just fine....
One of those odd flukes with the PIX OS.....
When I got laid off, they were saying this issue should be cured but 6.4(x)......
But who knows....
Just be aware of it....The first time I ran into this issue it took almost 2 days of work to figure it out...
and the guy I was working with totally believed that the NAT 0 was NOT the issue....
I finally talked him into trying a static and access-list and all the problems went away...
any way FYI......Hope I didn't hurt any feelings.....
Take Care....
0
 

Expert Comment

by:MBIstephen
ID: 11055150
guys this thread really really helped me understand DMZ's on the PIX

THANK YOU!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now