• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

PIX - Best way to deny access from higher to lower interface

Assuming the following config on a PIX 515, 6 ethernet port firewall:

Nameif  ethernet0  outside security 0
Nameif  ethernet1  inside security 100
Nameif  ethernet2  internet security 20
Nameif  ethernet3  dmz30 security 30
Nameif  ethernet4  dmz40 security 40
Nameif  ethernet5  dmz50 security 50

Ip address outside 192.168.0.1 255.255.255.0
Ip address inside 192.168.100.1  255.255.255.0
Ip address internet 192.168.20.1 255.255.255.0
Ip address dmz30 192.168.30.1 255.255.255.0
Ip address dmz40 192.168.40.1 255.255.255.0
Ip address dmz50 192.168.50.1 255.255.255.0

I am not allowed to use the outside interface for the Internet because my customer considers his lease line connection to a commercial vendor (outside interface) less secure than the Internet.

I only want inside and dmz40 to be able to access systems on the outside interface.  I only want dmz50 and dmz30 to access internet.  I do not want internet to access outside.

What is the best (most secure) way to deny access from a higher interface to a lower interface?

Should it be done by an access rule, or by absence of a translation rule?

On my test network, I cannot connect from dmz50 to outside, apparently since my only translation for dmz50 is “static (dmz50,internet) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 0 0”

When I try to set up an access rule to deny all ip from dmz50 to outside, PDM prompts me to set up a NAT rule.  I was hoping to use overkill and have a deny all access rule AND no translation.  Is this possible?
0
taccomp
Asked:
taccomp
  • 2
1 Solution
 
calvinetterCommented:
>What is the best (most secure) way to deny access from a higher interface to a lower interface?
  If you don't have a proper NAT statement for an interface going to the outside (ie, the actual Internet), the subnet on that interface won't be able to get outside access; you won't need to have an ACL applied.  For example, as long as you *don't* have something like the following, the "DMZ" interface *won't* be able to access the public Internet on the outside interface:
  nat (DMZ) <some_#> 0.0.0.0 0.0.0.0 0 0  <- remove a line such as this

>Should it be done by an access rule, or by absence of a translation rule?
  It's easier w/ an absense of a NAT rule (see above on what should be missing).

>On my test network, I cannot connect from dmz50 to outside...
   Your static NAT rule is actually telling the PIX not to NAT the 192.168.50.x subnet, so traffic is being sent with the originating IPs set to this private IP range, which is dropped by your ISP, since private IPs are *not* routed over the public Internet.  
   But, you also said:
 >I only want dmz50 and dmz30 to access internet.  I do not want internet to access outside.
   You seemed to contradict yourself...  
If you want to allow this subnet to get outbound access to the outside interface, add something like the following, if doing PAT on the 'outside' interface:
  nat (dmz50) 1 192.168.50.0 255.255.255.0 [or simply: nat (dmz50) 1 0 0 ]
  clear xlate

>When I try to set up an access rule to deny all ip from dmz50 to outside, PDM prompts me...
   If you really want overkill, you can apply an ACL (access-list) to any interface you want via the CLI interface (telnet/ssh/console access to PIX).  I highly suggest you use direct console access if you're new to the CLI method, so you don't accidentally lock yourself out.

>I only want dmz50 and dmz30 to access internet.  I do not want internet to access outside.
  If you want to only allow dmz30 to access the 'internet' interface, & deny dmz30 from getting to anywhere else, incl the public Internet out the 'outside' interface, do the following:

access-list from_dmz30 permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list from_dmz30 deny ip any any
access-group in interface dmz30

See also:
  Info on controlling access:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm
  Info on setting up NAT rules, PIX 6.3 series:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1131114

cheers
0
 
taccompAuthor Commented:
Thanks.  I'm looking over your response.  I think the area that may be confusing is that the "public internet" is not on the outside interface where you would normally expect it to be placed.  It is on the ethernet2 interface (nameif internet).  

The outside interface actually goes to a commercial vendor.  I originally had the public internet on the outside interface, but my customer (govt) does not want it that way.

I used private IPs to illustrate the config rather than the actual public ip's for obvious security reasons.  The actual ip on the ethernet2/internet interface is a public ip, as are the ips on dmz30 and dmz50.  Inside, outside, and dmz40 use private ip addresses.  That is why I do not want inside and dmz40 to access the internet.
0
 
calvinetterCommented:
  Ok, thanks for the clarification.  Regardless of which interface the Internet is on, the overall concepts & rules still apply from my previous post & the URLs there, though of course public IPs on a subnet obviously changes things.
   If you want to block an interface with a higher security level from having outbound access to a lower security interface (eg, from 'dmz40' to 'internet') you can do so by:  A) deliberately leaving out or removing NAT statements if NAT'ing a private IP range, or  B) by creative use of an ACL on the interface you want to limit if that interface has a public IP & thus doesn't require NAT.
   If having problems with getting out to the Internet from a public-IP subnet/interface, then is your default gateway not located on your 'internet' interface?  Have you verified if any ACLs are blocking either outbound traffic or simply reply traffic?  Are you certain your ISP has routing correctly setup on their end for the public subnets that are trying to get outside?
 
   If you're still lost after looking over the URLs above, please post your entire "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82 but w/ *all* subnet masks intact, & don't mask out private IPs), so I & other EE regulars here can see what you've currently got configured.

cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now