Solved

PIX Access-list Inbond rule

Posted on 2006-06-15
12
577 Views
Last Modified: 2010-04-11
Hi guys,

I need to understand the inbond rules from low security level to high security level.
Hardware PIX 7.2(1) ASDM
Here is my problem..

Public
Network A   50(Security Level)      Host A
Network B   80(Security level)       Host B

So  by default Host B >>>>>>HTTP>>>Host A.  GOOD No Problems
What i have to do to access the Host A >>>>Http>>>Host B.

I created the access list on Interface B (Inbond)
Host A to Host B Port Http

But this doesnt work??? Why..
And also after creating that rule i cant access the Host A from Host B, The above rule is changing the Implesit rule..

Can any one please explain. Why?

regards
Naren
0
Comment
Question by:r_naren22atyahoo
  • 6
  • 4
12 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16917792
Between different security levels you need make an implicit natting; So lets say ;

Host A side : 10.10.10.x
Host B side : 20.20.20.x

Both with mask 255.255.255.0


You need to have a static like;

static (int, int) 20.20.20.x 20.20.20.x netmask 255.255.255.0

Then along with this, the access-list will allow. Basically this will allow the 'low security end side' to SEE the 'high security end side'. Either you can do for the whole network or individual hosts.

Cheers,
Rajesh
0
 
LVL 12

Author Comment

by:r_naren22atyahoo
ID: 16917830
OK Here is the situation

Interface Public       0 (Security level)
Interface LowSec    50                           (Internal Network 10.20.0.0)
Interface HighSec   80                            (Internal Network 10.30.0.0)
Interface VeryHigh  90                            (Internal Network  10.40.0.0)

Is it MUST to create the Static NAT to access low sec network to High Sec network ???
They are internal Networks right, then why NAT for them???

Cant they be done with just the access rules????

regards
Naren
0
 
LVL 12

Author Comment

by:r_naren22atyahoo
ID: 16917844
and also what about the statful inspection from Low Sec interface to High sec interface???
If i dont have that again, i have to create the access-list from the replys rite???

how can this be achieved in the best way using the stateful inspcetion???
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 300 total points
ID: 16917850
Ok. Think about it, why do you need Static Translations for traffic between Outside Interface->Inside Interface ??? Because to protect the high security interface networks. Now, the same applies for your other interfaces as well. 'YOU' know that they are your own, but PIX doesn't!

So you make PIX happy with those NAT commands but you are infact natting them to their own addresses.

So the default rule is;

High TO Low => Allow everything by default.
Low TO High => See if there are any exception list configured and then allow it (which is your NAT translation).

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16917872
Stateful inspection is again done by the access-lists. Traffic flowing from Low Sec Interface to High Sec Interface WILL NOT pass through the PIX unless you have the access-lists defined, correct ?

For example if I create a static exception like this;

static (inside, outside) <PublicIP> <InternalIP> netmask 255.255.255.255

Just with this command, will the traffic flow from outside to inside ? No. It will be accompanied by an access-list which states, ok a hole is done now what is that you want to allow through this. So I go again and configure;

access-list <name> permit tcp any PUBLICIP eq 25
access-group <name> in interface outside

This will make sure that only traffic for smtp will go through it. Also, how ASA (PIX's algorithm) works is based on a hybrid firewall. It is an application proxy + packet filter. So any tcp connection going through PIX will split into 2 connections. Source to PIX & PIX to destination. Once the necessary steps on inspection is done then it will be allowed to be stitched.

Cheers,
Rajesh
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Author Comment

by:r_naren22atyahoo
ID: 16917916
Thanks fro the prompt responce Rajesh.
I am understanding bit better now! Thanks
1 Last question.

We have nearly 10 internal networks.
If i make the all these at same security level and (select option to allow communications between the same security level then, i can control the traffice just by accesslist rite.(offcource by default i will put deny any any at the end for each group).

This way there is no need for the NAT rite?
and offcource its not secured.

and If i make the all these at same security level and select the option NOT to allow to communicate between the same security level) then again i have to use the NAT on both interfaces rite??

regards
Naren
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16917996
I have never tried to assign same security level for 2 interfaces. But if pix allows you to do that then it will be as you are asking for.

Cheers,
Rajesh
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16919750
> If i make the all these at same security level and select the option NOT to allow to communicate between the same security level) then again i have to use the NAT on both interfaces rite??
PIX 7.x give you some options here.
Either you allow communications between interfaces of same security level - or you don't.
The primary rule with PIX is no communications at all between same security level. Version 7 gives you a binary switch for that.
If you do allow traffic between same security levels, I don't think you need to nat, but I'll have to check that out.
There is a global "nat control" on/off switch. If you disable nat control then you do not have to use any nat/global rules. Each interface would be expected to have its own Public IP subnet.

0
 
LVL 12

Author Comment

by:r_naren22atyahoo
ID: 16925321
Thanks for the comment Irmoore,

There are 2 switches on 7.21

1. Allow communications without NAT.
If this switch is ON then the PIX is allowing the communications from Low Security level to High Security level, just by the Inbond Access Rule at the Low Security level Interface..

2. Allow communication between the interfaces with same securtity level.
Here the problem is
If ON.
It is allowing the Communications by default without any access-rules.
May be I have to use some deny rules at the end for each interface.
I believe this will be a BIG security hole.

if OFF
it is denying the communications between the interfaces,
However i have a problem.
If i use the Inbond Allow access-rule in the source interface, then its still NOT allowing the communications.
and off-cource this rule is above the deny rule.
I was wondering how to use the access-rules to allow the traffic in this scenario.

regards
Naren



0
 
LVL 12

Author Comment

by:r_naren22atyahoo
ID: 16925333
Irmoore,

Could you please re-open the Question,
I want to Increase the Points to 500, and offcource distribute 300 to Rajesh and 200 will be kept Open.

regards
Naren
0
 
LVL 12

Author Comment

by:r_naren22atyahoo
ID: 16928085
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now