Avatar of maredzki
maredzki
 asked on

PIX 515e DMZ traffic In/Out

Here is my scenario:
I have a public IP address dedicated to static translation, traffic from internal to Internet works in PAT mode using a separate IP. I need to have traffic coming to the host in the DMZ and traffic originating in the DMZ bound for Internet host on a specific ports. I have the following rules:

static (dmz,outside) <externalIP> <DMZ_IP> netmask 255.255.255.255 0 0
access-group outside_in_acl in interface outside
access-group dmz_int in interface dmz
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
access-list dmz_int permit tcp host <DMZ_IP> host <Internet_Host> eq 5000

So, traffic originating in the DMZ will be allowed to leave on port 5000 and traffic coming in to the DMZ from the Internet will be allowed on port 5000. Does that look correct?

Also, the below command allows any host on the Internet to be allowed...
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
can it be restricted to hosts by doing:
access-list outside_in_acl permit tcp host <InternetIP> host <externalIP> eq 9000
(access-list outside_in_acl permit tcp host 333.444.555a.666 host 222.333.444.555 eq 9000
access-list outside_in_acl permit tcp host 333.444.555.667 host 222.333.444.555 eq 9000 and
access-list outside_in_acl permit tcp host 333.444.555.668 host 222.333.444.555 eq 9000)?

Thanks and if I can supply with any other info please let me know.
CiscoHardware FirewallsNetwork Architecture

Avatar of undefined
Last Comment
maredzki

8/22/2022 - Mon
MikeKane

>>So, traffic originating in the DMZ will be allowed to leave on port 5000 and traffic coming in to the DMZ from the Internet will be allowed on port 5000. Does that look correct?

You actually have traffic from the internet coming in on port 9000 allowed inbound through your static, not 5000.   You do have 5000 going outbound from the DMZ out.  




>>can it be restricted to hosts by doing:
access-list outside_in_acl permit tcp host 333.444.555.666 host 222.333.444.555 eq 9000
access-list outside_in_acl permit tcp host 333.444.555.667 host 222.333.444.555 eq 9000 and
access-list outside_in_acl permit tcp host 333.444.555.668 host 222.333.444.555 eq 9000)?

Yes, those lines above would only allow the 3 external IPs to access port 9000 through the static.  
MikeKane

...   if this is what you meant:
access-list outside_in_acl permit tcp host 333.444.555.666 host <External IP> eq 9000
maredzki

ASKER
Yes, sorry it was a mistype was supposed to be 9000 inbound. I don't quite understand the following comand anh how it pertains to this traffic:
access-group dmz_int in interface dmz
I knows it controlls traffic fr DMZ to internal network, or  am I wrong?
Thanks.  
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
MikeKane

No - That command applies an access list to an interface in a certain direction.    Position yourself in the center of the firewall....  Now build an access list using source and destination IPs.   Apply that list to an interface with a direction ( in or out).  

An example:  

Say the ACL reads "allow source 172.16.1.0 to destination 10.10.10.0 for all IP"
Now apply that access list "in interface dmz"

No position yourself in the center of the firewall and watch the traffic coming into the dmz interface and evaluate that list.   "Does this traffic have a source of 172.16.1.0 and is the destination 10.10.10.0? If yes, then let it through".  


maredzki

ASKER
Ok, just one follow up question.
Give the example by MikeKane, the traffic gets evaluated in both directions on the same ACL, for example:

Give 172.16.1.5 is an external host, and 10.10.10.5 is an internal host,
allow source host 172.16.1.5 to destination 10.10.10.5 and
allow source host 10.10.10.5 to destination 172.16.1.5

Would this allow traffic in both directions from specific host on the internet to specific host in the DMZ and vice versa?

Thanks much for the help.
MikeKane

You don't need the return allow since once the session is establish, all traffic will pass.  

The ACL evaluated traffic one way, and this depends on how it is applied to the interface with the access group command.   There is a limit of 1 ACL per interface per direction.   You can apply the ACL either in "in" or "out" on a certain interface.  The source and destinations matter since the "out" direction of the outside interface will have packets that have been nat'ed already.  

And, remember, by default, any higher security interface can access all ip on lower security interfaces.  So if a DMZ host has a nat or a static out the internet, by default, it can access anything.  

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
maredzki

ASKER
Ok, thanks!

The DMZ host in my situation has 1:1 static NAT:
static (dmz,outside) <extIP> <intIP> netmask 255.255.255.255 0 0

There are two ways the traffic can traverse the PIX either initiated by the DMZ host itself or initiated by the internet host. I understand I have to have two rules, one to allow the DMZ host out and a second to allow the internet host in. For some reason, if I do not put the DMZ host in to access the host on the web, it wont work (as you say it would, not sure why it does not). I do not have any deny statements in the config.
MikeKane

If you have any access-list applied to the dmz interface, then there is an implicit DENY ANY ANY at the end of every ACL whether you add it in there or not.  

So if you have a DMZ-acl that look like:
access-list dmz_in extended permit ip host 10.10.10.10 any
access-list dmz_in extended permit 80 any any

and you apply that with
access-group dmz in interface dmz

Then 10.10.10.10 can access any server, everything on the dmz can access port 80, all other traffic will be denied.  



maredzki

ASKER
Ok, so in my scenario i have

access-list outside_in_acl permit tcp any host <IP_on_DMZ> eq www
<IP_on_DMZ> being "static (dmz,outside) <IP_on_DMZ> <dmzHostIP> netmask 255.255.255.255 0 0"
so any traffic coming to <IP_on_DMZ> will be passed only on port 80
and that is applied with:
access-group outside_in_acl in interface outside

So, if I wanted to open up traffic in my description above:
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
it will allow any host on the internet to the specific ip <externalIP> on port 9000. Correct?
And if I wanted to be more granular and say, only this IP will be allowed i say:
access-list outside_in_acl permit tcp host <onlythisIP> host <externalIP> eq 9000

Makes sense and is correct?

Thanks much.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
MikeKane

>>>
>access-list outside_in_acl permit tcp any host <IP_on_DMZ> eq www
><IP_on_DMZ> being "static (dmz,outside) <IP_on_DMZ> <dmzHostIP> netmask 255.255.255.255 0 0"
>so any traffic coming to <IP_on_DMZ> will be passed only on port 80
>and that is applied with:
>access-group outside_in_acl in interface outside


In this example, the traffic would not pass because you are allowing ANY host to the <IP_on_DMZ>.    The DMZ ip can not be addressed on the outside interface.  You would need to replace the DMZ ip with the External IP you have static'd it with.



>So, if I wanted to open up traffic in my description above:
>access-list outside_in_acl permit tcp any host <externalIP> eq 9000
i>t will allow any host on the internet to the specific ip <externalIP> on port 9000. Correct?
>And if I wanted to be more granular and say, only this IP will be allowed i say:
>access-list outside_in_acl permit tcp host <onlythisIP> host <externalIP> eq 9000
>Makes sense and is correct?

Yes, this example is the correct way.


maredzki

ASKER
>In this example, the traffic would not pass because you are allowing ANY host to the <IP_on_DMZ>.    The DMZ ip can not be >addressed on the outside interface.  You would need to replace the DMZ ip with the External IP you have static'd it with.

I think that is what I meant. The IP_on_DMZ being the public IP address assigned to the DMZ interface that then is statically assigned to a DMZ host's internal IP. Correct?

Cheers and thanks for the help.
ASKER CERTIFIED SOLUTION
MikeKane

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
maredzki

ASKER
Excellent help!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.