Allowing port 80 out from DMZ - PIX 515

I have a PIX 515 with web servers on the DMZ interface.  I thought I understood that if you if the inside int has security setting of 100 and the DMZ is at 50 and the Outside is at 0 then the PIX should allow traffic to flow between high level ints to low level automatically.  My problem is that our web servers allow traffic in from the outside but if I try to get to the internet from one of the web servers I can't get there.  Obviously if I add a rule to allow DMZ access to any on port 80 it works, and I've tested that.
I'm looking for a couple answers on this.
1. Does the high to low default traffic not really apply here?
2. Is it considered correct to allow 80 traffic if any out from the DMZ to Outside?  Would a seasoned Network Admin laugh at me for doing it?
LVL 1
jchri66Asked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
1. It only applies if you do not have any acl applied to the interface. Every applied acl has an implied "deny all" at the end. As soon as you apply an acl to the dmz interface the rules change.

2. There is a reason that Microsoft locks down the browser on server platforms. It is not a good idea to use a server to browse the internet. However, there are times when it is absolutely needed. Particularly https to get to Microsoft for updates and downloads.
 
0
 
grbladesCommented:
1) No it does apply
2) Best to avoid it if you can but most cases you need it for updates etc...

What I suspect is that in the PIX configuration you have 'static' commands with the port numbers listed. Therefore only traffic over these ports get translated. Therefore when the web server tries to access the outside there is no NAT rule and so no connection. There are two ways around this :-

1) Change the static commands to not mention the port numbers. This way you have a fixed translation from an external IP address to a DMZ IP address. Its good for mail servers where the server will be initiating lots of traffic to outside but it does mean you have to dedicate an outside address for each DMZ machine.

2) Define a 'nat (dmz) 1 xx.xx.xx.xxx 255.255.255.0' or similar so there is a default NAT rule for machines in the DMZ.
0
 
jchri66Author Commented:
This would be so the web site can access a process from a credit card authorizer.  So our website needs to be able to access a certain URL to get a YES or NO from this 3rd party site.  If I can get the IP for the 3rd party website I can just add a rule to only allow port 80 and 443 to that IP only correct?  
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
grbladesConnect With a Mentor Commented:
Yes correct. That would be the best thing to do.
So you are using a 3rd party to perform the dredit card authorisation and you are not storing the credit card number in any way?
0
 
jchri66Author Commented:
From what the development team is telling me that is correct.
0
 
grbladesCommented:
Thats fine then. There is a standard called PCI DSS you need to comply to if you store credit card information but as you dont it makes it much simpler for you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.