asked on
PIX 515e DMZ traffic In/Out
Here is my scenario:
I have a public IP address dedicated to static translation, traffic from internal to Internet works in PAT mode using a separate IP. I need to have traffic coming to the host in the DMZ and traffic originating in the DMZ bound for Internet host on a specific ports. I have the following rules:
static (dmz,outside) <externalIP> <DMZ_IP> netmask 255.255.255.255 0 0
access-group outside_in_acl in interface outside
access-group dmz_int in interface dmz
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
access-list dmz_int permit tcp host <DMZ_IP> host <Internet_Host> eq 5000
So, traffic originating in the DMZ will be allowed to leave on port 5000 and traffic coming in to the DMZ from the Internet will be allowed on port 5000. Does that look correct?
Also, the below command allows any host on the Internet to be allowed...
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
can it be restricted to hosts by doing:
access-list outside_in_acl permit tcp host <InternetIP> host <externalIP> eq 9000
(access-list outside_in_acl permit tcp host 333.444.555a.666 host 222.333.444.555 eq 9000
access-list outside_in_acl permit tcp host 333.444.555.667 host 222.333.444.555 eq 9000 and
access-list outside_in_acl permit tcp host 333.444.555.668 host 222.333.444.555 eq 9000)?
Thanks and if I can supply with any other info please let me know.
I have a public IP address dedicated to static translation, traffic from internal to Internet works in PAT mode using a separate IP. I need to have traffic coming to the host in the DMZ and traffic originating in the DMZ bound for Internet host on a specific ports. I have the following rules:
static (dmz,outside) <externalIP> <DMZ_IP> netmask 255.255.255.255 0 0
access-group outside_in_acl in interface outside
access-group dmz_int in interface dmz
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
access-list dmz_int permit tcp host <DMZ_IP> host <Internet_Host> eq 5000
So, traffic originating in the DMZ will be allowed to leave on port 5000 and traffic coming in to the DMZ from the Internet will be allowed on port 5000. Does that look correct?
Also, the below command allows any host on the Internet to be allowed...
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
can it be restricted to hosts by doing:
access-list outside_in_acl permit tcp host <InternetIP> host <externalIP> eq 9000
(access-list outside_in_acl permit tcp host 333.444.555a.666 host 222.333.444.555 eq 9000
access-list outside_in_acl permit tcp host 333.444.555.667 host 222.333.444.555 eq 9000 and
access-list outside_in_acl permit tcp host 333.444.555.668 host 222.333.444.555 eq 9000)?
Thanks and if I can supply with any other info please let me know.
CiscoHardware FirewallsNetwork Architecture
Last Comment
maredzki
... if this is what you meant:
access-list outside_in_acl permit tcp host 333.444.555.666 host <External IP> eq 9000
access-list outside_in_acl permit tcp host 333.444.555.666 host <External IP> eq 9000
ASKER
Yes, sorry it was a mistype was supposed to be 9000 inbound. I don't quite understand the following comand anh how it pertains to this traffic:
access-group dmz_int in interface dmz
I knows it controlls traffic fr DMZ to internal network, or am I wrong?
Thanks.
access-group dmz_int in interface dmz
I knows it controlls traffic fr DMZ to internal network, or am I wrong?
Thanks.
No - That command applies an access list to an interface in a certain direction. Position yourself in the center of the firewall.... Now build an access list using source and destination IPs. Apply that list to an interface with a direction ( in or out).
An example:
Say the ACL reads "allow source 172.16.1.0 to destination 10.10.10.0 for all IP"
Now apply that access list "in interface dmz"
No position yourself in the center of the firewall and watch the traffic coming into the dmz interface and evaluate that list. "Does this traffic have a source of 172.16.1.0 and is the destination 10.10.10.0? If yes, then let it through".
An example:
Say the ACL reads "allow source 172.16.1.0 to destination 10.10.10.0 for all IP"
Now apply that access list "in interface dmz"
No position yourself in the center of the firewall and watch the traffic coming into the dmz interface and evaluate that list. "Does this traffic have a source of 172.16.1.0 and is the destination 10.10.10.0? If yes, then let it through".
ASKER
Ok, just one follow up question.
Give the example by MikeKane, the traffic gets evaluated in both directions on the same ACL, for example:
Give 172.16.1.5 is an external host, and 10.10.10.5 is an internal host,
allow source host 172.16.1.5 to destination 10.10.10.5 and
allow source host 10.10.10.5 to destination 172.16.1.5
Would this allow traffic in both directions from specific host on the internet to specific host in the DMZ and vice versa?
Thanks much for the help.
Give the example by MikeKane, the traffic gets evaluated in both directions on the same ACL, for example:
Give 172.16.1.5 is an external host, and 10.10.10.5 is an internal host,
allow source host 172.16.1.5 to destination 10.10.10.5 and
allow source host 10.10.10.5 to destination 172.16.1.5
Would this allow traffic in both directions from specific host on the internet to specific host in the DMZ and vice versa?
Thanks much for the help.
You don't need the return allow since once the session is establish, all traffic will pass.
The ACL evaluated traffic one way, and this depends on how it is applied to the interface with the access group command. There is a limit of 1 ACL per interface per direction. You can apply the ACL either in "in" or "out" on a certain interface. The source and destinations matter since the "out" direction of the outside interface will have packets that have been nat'ed already.
And, remember, by default, any higher security interface can access all ip on lower security interfaces. So if a DMZ host has a nat or a static out the internet, by default, it can access anything.
The ACL evaluated traffic one way, and this depends on how it is applied to the interface with the access group command. There is a limit of 1 ACL per interface per direction. You can apply the ACL either in "in" or "out" on a certain interface. The source and destinations matter since the "out" direction of the outside interface will have packets that have been nat'ed already.
And, remember, by default, any higher security interface can access all ip on lower security interfaces. So if a DMZ host has a nat or a static out the internet, by default, it can access anything.
ASKER
Ok, thanks!
The DMZ host in my situation has 1:1 static NAT:
static (dmz,outside) <extIP> <intIP> netmask 255.255.255.255 0 0
There are two ways the traffic can traverse the PIX either initiated by the DMZ host itself or initiated by the internet host. I understand I have to have two rules, one to allow the DMZ host out and a second to allow the internet host in. For some reason, if I do not put the DMZ host in to access the host on the web, it wont work (as you say it would, not sure why it does not). I do not have any deny statements in the config.
The DMZ host in my situation has 1:1 static NAT:
static (dmz,outside) <extIP> <intIP> netmask 255.255.255.255 0 0
There are two ways the traffic can traverse the PIX either initiated by the DMZ host itself or initiated by the internet host. I understand I have to have two rules, one to allow the DMZ host out and a second to allow the internet host in. For some reason, if I do not put the DMZ host in to access the host on the web, it wont work (as you say it would, not sure why it does not). I do not have any deny statements in the config.
If you have any access-list applied to the dmz interface, then there is an implicit DENY ANY ANY at the end of every ACL whether you add it in there or not.
So if you have a DMZ-acl that look like:
access-list dmz_in extended permit ip host 10.10.10.10 any
access-list dmz_in extended permit 80 any any
and you apply that with
access-group dmz in interface dmz
Then 10.10.10.10 can access any server, everything on the dmz can access port 80, all other traffic will be denied.
So if you have a DMZ-acl that look like:
access-list dmz_in extended permit ip host 10.10.10.10 any
access-list dmz_in extended permit 80 any any
and you apply that with
access-group dmz in interface dmz
Then 10.10.10.10 can access any server, everything on the dmz can access port 80, all other traffic will be denied.
ASKER
Ok, so in my scenario i have
access-list outside_in_acl permit tcp any host <IP_on_DMZ> eq www
<IP_on_DMZ> being "static (dmz,outside) <IP_on_DMZ> <dmzHostIP> netmask 255.255.255.255 0 0"
so any traffic coming to <IP_on_DMZ> will be passed only on port 80
and that is applied with:
access-group outside_in_acl in interface outside
So, if I wanted to open up traffic in my description above:
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
it will allow any host on the internet to the specific ip <externalIP> on port 9000. Correct?
And if I wanted to be more granular and say, only this IP will be allowed i say:
access-list outside_in_acl permit tcp host <onlythisIP> host <externalIP> eq 9000
Makes sense and is correct?
Thanks much.
access-list outside_in_acl permit tcp any host <IP_on_DMZ> eq www
<IP_on_DMZ> being "static (dmz,outside) <IP_on_DMZ> <dmzHostIP> netmask 255.255.255.255 0 0"
so any traffic coming to <IP_on_DMZ> will be passed only on port 80
and that is applied with:
access-group outside_in_acl in interface outside
So, if I wanted to open up traffic in my description above:
access-list outside_in_acl permit tcp any host <externalIP> eq 9000
it will allow any host on the internet to the specific ip <externalIP> on port 9000. Correct?
And if I wanted to be more granular and say, only this IP will be allowed i say:
access-list outside_in_acl permit tcp host <onlythisIP> host <externalIP> eq 9000
Makes sense and is correct?
Thanks much.
>>>
>access-list outside_in_acl permit tcp any host <IP_on_DMZ> eq www
><IP_on_DMZ> being "static (dmz,outside) <IP_on_DMZ> <dmzHostIP> netmask 255.255.255.255 0 0"
>so any traffic coming to <IP_on_DMZ> will be passed only on port 80
>and that is applied with:
>access-group outside_in_acl in interface outside
In this example, the traffic would not pass because you are allowing ANY host to the <IP_on_DMZ>. The DMZ ip can not be addressed on the outside interface. You would need to replace the DMZ ip with the External IP you have static'd it with.
>So, if I wanted to open up traffic in my description above:
>access-list outside_in_acl permit tcp any host <externalIP> eq 9000
i>t will allow any host on the internet to the specific ip <externalIP> on port 9000. Correct?
>And if I wanted to be more granular and say, only this IP will be allowed i say:
>access-list outside_in_acl permit tcp host <onlythisIP> host <externalIP> eq 9000
>Makes sense and is correct?
Yes, this example is the correct way.
>access-list outside_in_acl permit tcp any host <IP_on_DMZ> eq www
><IP_on_DMZ> being "static (dmz,outside) <IP_on_DMZ> <dmzHostIP> netmask 255.255.255.255 0 0"
>so any traffic coming to <IP_on_DMZ> will be passed only on port 80
>and that is applied with:
>access-group outside_in_acl in interface outside
In this example, the traffic would not pass because you are allowing ANY host to the <IP_on_DMZ>. The DMZ ip can not be addressed on the outside interface. You would need to replace the DMZ ip with the External IP you have static'd it with.
>So, if I wanted to open up traffic in my description above:
>access-list outside_in_acl permit tcp any host <externalIP> eq 9000
i>t will allow any host on the internet to the specific ip <externalIP> on port 9000. Correct?
>And if I wanted to be more granular and say, only this IP will be allowed i say:
>access-list outside_in_acl permit tcp host <onlythisIP> host <externalIP> eq 9000
>Makes sense and is correct?
Yes, this example is the correct way.
ASKER
>In this example, the traffic would not pass because you are allowing ANY host to the <IP_on_DMZ>. The DMZ ip can not be >addressed on the outside interface. You would need to replace the DMZ ip with the External IP you have static'd it with.
I think that is what I meant. The IP_on_DMZ being the public IP address assigned to the DMZ interface that then is statically assigned to a DMZ host's internal IP. Correct?
Cheers and thanks for the help.
I think that is what I meant. The IP_on_DMZ being the public IP address assigned to the DMZ interface that then is statically assigned to a DMZ host's internal IP. Correct?
Cheers and thanks for the help.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Excellent help!
You actually have traffic from the internet coming in on port 9000 allowed inbound through your static, not 5000. You do have 5000 going outbound from the DMZ out.
>>can it be restricted to hosts by doing:
access-list outside_in_acl permit tcp host 333.444.555.666 host 222.333.444.555 eq 9000
access-list outside_in_acl permit tcp host 333.444.555.667 host 222.333.444.555 eq 9000 and
access-list outside_in_acl permit tcp host 333.444.555.668 host 222.333.444.555 eq 9000)?
Yes, those lines above would only allow the 3 external IPs to access port 9000 through the static.