Solved

DMZ Pix Firewall Question

Posted on 2008-10-01
4
303 Views
Last Modified: 2010-04-09
I currently have a web server in my DMZ and permit WWW to it from Outside_In ACL. Then the web server talks to back-end SQL server by way of DMZ_In ACL

access-list DMZ_In line 1 permit tcp host WebSvr host SQLSvr eq 1433

Only thing is, everytime i want to run updates on the Web Server, i need to add this line:

access-list DMZ_In permit ip host WebSvr any any - I do this so i don't have to write two lines, permitting DNS and WWW to run windows update- After I run the updates, i remove this statement so we're just left with the one permitting SQL to the inside.

I thought that hosts on higher security level interface (DMZ99-Outside1) could access lower security level interfaces. If that is true, why do i need to add the extra line before it will work?

Also, if i wanted to move a Smarthost into my dmz, and I want to send all Outbound mail to it, so  can send the mail out to the internet, how would I write this?

Is it true that if I do this:

access-list DMZ_In  permit ip host SpamFilter any any - then this will also permit traffic from the smarthost to be permitted into the inside which i do not want. How can i securely filter outbound mail before it's sent to the internet?

basically i want to add a smarthost to my dmz and need the configuration to do so. it doesn't seem to work with this:

access-list DMZ_In  permit ip host SpamFilter host "outside Int"

What am i doing wrong?
0
Comment
Question by:jaysonfranklin
  • 2
  • 2
4 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility

I thought that hosts on higher security level interface (DMZ99-Outside1) could access lower security level interfaces. If that is true, why do i need to add the extra line before it will work?

There is an implied deny any any at the end of every ACL....   You still need to permit the traffic to flow outbound.  The purpose of the zones is to keep the traffic out of the other higher level zones without a static map or port forward for example.      

For the smarthost, you just need to
1) redirect your mail server static map (or port forwarded statements) to the smart host IP in the DMZ.
2) Create the ACL lines for the outside_in ACL (if you dont already have it) to allow the required ports to the new smarthost.  
3) You also need to create the mappings from the smart host to you internal mail server.  
4) then create/edit  the DMZ_in acl to allow outbound mail traffic to flow from the host to the outside and from the host to the internal email server.  
5) then create/edit  the inside_in acl to allow the internal email server to communicate to the smarthost.  

for #4 and 5, your smart host documentation will provide the needed ports for communication.   If its an ironmail box, I can pull my manual and get the ports for you....
0
 
LVL 1

Author Comment

by:jaysonfranklin
Comment Utility
OK, so most of these are already done.. here is where i'm still confused.
 
4) then create/edit  the DMZ_in acl to allow outbound mail traffic to flow from the host to the outside and from the host to the internal email server.
.. I have no problem with traffic flowing from the SmartHost  to the internal MailServer. I can do this like:

access-list DMZ_In permit tcp host Smarthost host MailSvr eq 25

However, my question is, what is the statement to allow flow to the outside w/o giving it a permit any/any? it seems when i do this:

access-list DMZ_In permit tcp host Smarthost host "OutsideInt" eq 25  - This does not work. What should I be permitting it to? the Outside Interface or the DMZ Interface? Furthermore, if I permit it to the DMZ interface, will that allow the traffic to flow to the inside? it shouldn't because the inside is a higher security level right?

5) then create/edit  the inside_in acl to allow the internal email server to communicate to the smarthost.  
..This would actually be my Inside_Out ACL which will permit my internal Mail server to  send mail to the smarthost in the DMZ.. this is already done along with 1-3

Currently, mail is coming into the smarthost in the DMZ which btw, is a Barracuda (not Ironport, (i wish)) and then the smart host forwards it to the inside, but i also want to send outbound mail thru the barracuda as well but can't get the dang statements right.

Thanks so much for your help.

0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
Comment Utility
On #4  
At the very least, your smarthost will have to allow outbound port 25 to any server....   I mean it has to send mail right?  

access-list DMZ_IN permit tcp host smarthost any eq smtp

You are also going to want dns services as well  

access-list DMZ_IN permit tcp host smarthost any eq domain

You would then need to add any other ports required by the barracuda....  


This means that you would also allow these ports to the inside as well if the request is attempted.  But it would only succeed to inside hosts that are static'd or have a port forward or if you allowed a Nat_0_ style connection between the dmz to the inside which doesn't seem to be.... but correct me if I'm wrong.  

Since the acl is read top to bottom you could use the following logic.....I'm sure you'll follow

access-list DMZ_IN permit tcp host smarthost host mailserver eq smtp
access-list DMZ_IN deny ip host smarthost 10.10.10.0 255.255.255.0     This would be your internal range
access-list DMZ_IN permit tcp host smarthost any eq smtp  

BAsically -
    let port 25 for the mail server through....
    block anything else bound for the internal subnet
    let port 25 for any other server through...  
    deny everything else.    

Once the ACL find a match,  processing stops.....  

0
 
LVL 1

Author Comment

by:jaysonfranklin
Comment Utility
ok, i think where the confusion came was trying to figure out which specific host to permit to since there aren't any hosts on the Outside Int, i was trying to permit it to the Outside Int IP. but i didn't think about permiting it to any then denying the rest of the internal subnet. that would have been too smart. I guess i can do this for the web server too so i dont have to add/remove statements everytime i update.

Thanks for clearing things up for me mike. i really appreciate it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now