jchri66
asked on
Allowing port 80 out from DMZ - PIX 515
I have a PIX 515 with web servers on the DMZ interface. I thought I understood that if you if the inside int has security setting of 100 and the DMZ is at 50 and the Outside is at 0 then the PIX should allow traffic to flow between high level ints to low level automatically. My problem is that our web servers allow traffic in from the outside but if I try to get to the internet from one of the web servers I can't get there. Obviously if I add a rule to allow DMZ access to any on port 80 it works, and I've tested that.
I'm looking for a couple answers on this.
1. Does the high to low default traffic not really apply here?
2. Is it considered correct to allow 80 traffic if any out from the DMZ to Outside? Would a seasoned Network Admin laugh at me for doing it?
I'm looking for a couple answers on this.
1. Does the high to low default traffic not really apply here?
2. Is it considered correct to allow 80 traffic if any out from the DMZ to Outside? Would a seasoned Network Admin laugh at me for doing it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This would be so the web site can access a process from a credit card authorizer. So our website needs to be able to access a certain URL to get a YES or NO from this 3rd party site. If I can get the IP for the 3rd party website I can just add a rule to only allow port 80 and 443 to that IP only correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
From what the development team is telling me that is correct.
Thats fine then. There is a standard called PCI DSS you need to comply to if you store credit card information but as you dont it makes it much simpler for you.
2) Best to avoid it if you can but most cases you need it for updates etc...
What I suspect is that in the PIX configuration you have 'static' commands with the port numbers listed. Therefore only traffic over these ports get translated. Therefore when the web server tries to access the outside there is no NAT rule and so no connection. There are two ways around this :-
1) Change the static commands to not mention the port numbers. This way you have a fixed translation from an external IP address to a DMZ IP address. Its good for mail servers where the server will be initiating lots of traffic to outside but it does mean you have to dedicate an outside address for each DMZ machine.
2) Define a 'nat (dmz) 1 xx.xx.xx.xxx 255.255.255.0' or similar so there is a default NAT rule for machines in the DMZ.