DMZ Pix Firewall Question
Posted on 2008-10-01
I currently have a web server in my DMZ and permit WWW to it from Outside_In ACL. Then the web server talks to back-end SQL server by way of DMZ_In ACL
access-list DMZ_In line 1 permit tcp host WebSvr host SQLSvr eq 1433
Only thing is, everytime i want to run updates on the Web Server, i need to add this line:
access-list DMZ_In permit ip host WebSvr any any - I do this so i don't have to write two lines, permitting DNS and WWW to run windows update- After I run the updates, i remove this statement so we're just left with the one permitting SQL to the inside.
I thought that hosts on higher security level interface (DMZ99-Outside1) could access lower security level interfaces. If that is true, why do i need to add the extra line before it will work?
Also, if i wanted to move a Smarthost into my dmz, and I want to send all Outbound mail to it, so can send the mail out to the internet, how would I write this?
Is it true that if I do this:
access-list DMZ_In permit ip host SpamFilter any any - then this will also permit traffic from the smarthost to be permitted into the inside which i do not want. How can i securely filter outbound mail before it's sent to the internet?
basically i want to add a smarthost to my dmz and need the configuration to do so. it doesn't seem to work with this:
access-list DMZ_In permit ip host SpamFilter host "outside Int"
What am i doing wrong?