• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

DMZ Pix Firewall Question

I currently have a web server in my DMZ and permit WWW to it from Outside_In ACL. Then the web server talks to back-end SQL server by way of DMZ_In ACL

access-list DMZ_In line 1 permit tcp host WebSvr host SQLSvr eq 1433

Only thing is, everytime i want to run updates on the Web Server, i need to add this line:

access-list DMZ_In permit ip host WebSvr any any - I do this so i don't have to write two lines, permitting DNS and WWW to run windows update- After I run the updates, i remove this statement so we're just left with the one permitting SQL to the inside.

I thought that hosts on higher security level interface (DMZ99-Outside1) could access lower security level interfaces. If that is true, why do i need to add the extra line before it will work?

Also, if i wanted to move a Smarthost into my dmz, and I want to send all Outbound mail to it, so  can send the mail out to the internet, how would I write this?

Is it true that if I do this:

access-list DMZ_In  permit ip host SpamFilter any any - then this will also permit traffic from the smarthost to be permitted into the inside which i do not want. How can i securely filter outbound mail before it's sent to the internet?

basically i want to add a smarthost to my dmz and need the configuration to do so. it doesn't seem to work with this:

access-list DMZ_In  permit ip host SpamFilter host "outside Int"

What am i doing wrong?
0
jaysonfranklin
Asked:
jaysonfranklin
  • 2
  • 2
1 Solution
 
MikeKaneCommented:

I thought that hosts on higher security level interface (DMZ99-Outside1) could access lower security level interfaces. If that is true, why do i need to add the extra line before it will work?

There is an implied deny any any at the end of every ACL....   You still need to permit the traffic to flow outbound.  The purpose of the zones is to keep the traffic out of the other higher level zones without a static map or port forward for example.      

For the smarthost, you just need to
1) redirect your mail server static map (or port forwarded statements) to the smart host IP in the DMZ.
2) Create the ACL lines for the outside_in ACL (if you dont already have it) to allow the required ports to the new smarthost.  
3) You also need to create the mappings from the smart host to you internal mail server.  
4) then create/edit  the DMZ_in acl to allow outbound mail traffic to flow from the host to the outside and from the host to the internal email server.  
5) then create/edit  the inside_in acl to allow the internal email server to communicate to the smarthost.  

for #4 and 5, your smart host documentation will provide the needed ports for communication.   If its an ironmail box, I can pull my manual and get the ports for you....
0
 
jaysonfranklinAuthor Commented:
OK, so most of these are already done.. here is where i'm still confused.
 
4) then create/edit  the DMZ_in acl to allow outbound mail traffic to flow from the host to the outside and from the host to the internal email server.
.. I have no problem with traffic flowing from the SmartHost  to the internal MailServer. I can do this like:

access-list DMZ_In permit tcp host Smarthost host MailSvr eq 25

However, my question is, what is the statement to allow flow to the outside w/o giving it a permit any/any? it seems when i do this:

access-list DMZ_In permit tcp host Smarthost host "OutsideInt" eq 25  - This does not work. What should I be permitting it to? the Outside Interface or the DMZ Interface? Furthermore, if I permit it to the DMZ interface, will that allow the traffic to flow to the inside? it shouldn't because the inside is a higher security level right?

5) then create/edit  the inside_in acl to allow the internal email server to communicate to the smarthost.  
..This would actually be my Inside_Out ACL which will permit my internal Mail server to  send mail to the smarthost in the DMZ.. this is already done along with 1-3

Currently, mail is coming into the smarthost in the DMZ which btw, is a Barracuda (not Ironport, (i wish)) and then the smart host forwards it to the inside, but i also want to send outbound mail thru the barracuda as well but can't get the dang statements right.

Thanks so much for your help.

0
 
MikeKaneCommented:
On #4  
At the very least, your smarthost will have to allow outbound port 25 to any server....   I mean it has to send mail right?  

access-list DMZ_IN permit tcp host smarthost any eq smtp

You are also going to want dns services as well  

access-list DMZ_IN permit tcp host smarthost any eq domain

You would then need to add any other ports required by the barracuda....  


This means that you would also allow these ports to the inside as well if the request is attempted.  But it would only succeed to inside hosts that are static'd or have a port forward or if you allowed a Nat_0_ style connection between the dmz to the inside which doesn't seem to be.... but correct me if I'm wrong.  

Since the acl is read top to bottom you could use the following logic.....I'm sure you'll follow

access-list DMZ_IN permit tcp host smarthost host mailserver eq smtp
access-list DMZ_IN deny ip host smarthost 10.10.10.0 255.255.255.0     This would be your internal range
access-list DMZ_IN permit tcp host smarthost any eq smtp  

BAsically -
    let port 25 for the mail server through....
    block anything else bound for the internal subnet
    let port 25 for any other server through...  
    deny everything else.    

Once the ACL find a match,  processing stops.....  

0
 
jaysonfranklinAuthor Commented:
ok, i think where the confusion came was trying to figure out which specific host to permit to since there aren't any hosts on the Outside Int, i was trying to permit it to the Outside Int IP. but i didn't think about permiting it to any then denying the rest of the internal subnet. that would have been too smart. I guess i can do this for the web server too so i dont have to add/remove statements everytime i update.

Thanks for clearing things up for me mike. i really appreciate it.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now