PIX - Best way to deny access from higher to lower interface
Posted on 2006-05-17
Assuming the following config on a PIX 515, 6 ethernet port firewall:
Nameif ethernet0 outside security 0
Nameif ethernet1 inside security 100
Nameif ethernet2 internet security 20
Nameif ethernet3 dmz30 security 30
Nameif ethernet4 dmz40 security 40
Nameif ethernet5 dmz50 security 50
Ip address outside 192.168.0.1 255.255.255.0
Ip address inside 192.168.100.1 255.255.255.0
Ip address internet 192.168.20.1 255.255.255.0
Ip address dmz30 192.168.30.1 255.255.255.0
Ip address dmz40 192.168.40.1 255.255.255.0
Ip address dmz50 192.168.50.1 255.255.255.0
I am not allowed to use the outside interface for the Internet because my customer considers his lease line connection to a commercial vendor (outside interface) less secure than the Internet.
I only want inside and dmz40 to be able to access systems on the outside interface. I only want dmz50 and dmz30 to access internet. I do not want internet to access outside.
What is the best (most secure) way to deny access from a higher interface to a lower interface?
Should it be done by an access rule, or by absence of a translation rule?
On my test network, I cannot connect from dmz50 to outside, apparently since my only translation for dmz50 is “static (dmz50,internet) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 0 0”
When I try to set up an access rule to deny all ip from dmz50 to outside, PDM prompts me to set up a NAT rule. I was hoping to use overkill and have a deny all access rule AND no translation. Is this possible?