?
Solved

PIX Setup for Inbound UDP

Posted on 2005-04-07
7
Medium Priority
?
408 Views
Last Modified: 2010-04-10
This should be fairly easy for everyone but I'm looking for best practice and advice.  On occasion, I run into an applicaiton that requires some inbound UDP traffic.  My users connect to the internet through a proxy server in our DMZ.  These UDP connections never work so we are forced to put in static entries in the pix for the workstations accessing the given site.  This static entry allows them to bypass the proxy and access the site directly.  My thought was, why not put a statement in the PIX for the proxy server and then they wont have any issues using the proxy server for any UDP connections.

Something like:

access-list outside permit udp any host <proxy ip address in the dmz> eq any

#1 Is this a bad idea?  I know it will basically allow udp connections from anywhere to bounce off the proxy server but I am getting so many static entries for clients in my firewall thats its getting silly.  And for each one, I have to make a static IP client as well which makes my life hell when we need to change any IP settings for all the clients.  (Aside from making them DHCP with reservations.)

#2  Is that statement is formatted correctly"  I've never written a PIX command where I wanted to allow all ports. Usually they are followed with "eq www" or "eq syslog".  I figured any udp port would be "eq any".  Just wanted to double check myself.

Thanks in advance, I know these are some newbie questions but the networking isn't my primary job. :)
0
Comment
Question by:bdh113s
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:gpriceee
ID: 13727747
Hello.  udp any will allow any udp connection to your proxy; however, you're opening yourself for attack,
What would be better would be to find out the rang of udp ports and setup the ACL with the range.
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13727792
Example:
access-list outside permit udp any host <proxy ip address in the dmz> range 3200 3300
0
 
LVL 2

Author Comment

by:bdh113s
ID: 13728712
Yeah the problem is that the ranges are different depending on the application.  That is why I was just going to open it for all.  I figured this was a bad idea.  So do most pix administrators just deal with each application  specifically with seperate access lists for each one?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 13

Accepted Solution

by:
gpriceee earned 500 total points
ID: 13729067
Yes!
If you don't, you're opening a WIDE door.
You can setup a few ranges and should be okay with that.  At least now you can deal with the ranges of ports and not everyone's ip address.
Also, if your own developers are creating these applications, they can set the ranges within them and make your life easier.
0
 
LVL 2

Author Comment

by:bdh113s
ID: 13729713
OK, it seems my fears were correct.  Thanks for the confirmation.  I will leave it open for a bit more to make sure there isn't "something" that can be done but otherwise you have answered my question.
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13731351
OK, sounds good.
0
 
LVL 2

Author Comment

by:bdh113s
ID: 13736600
Thanks for the info.  It seems my assumptions were correct.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question