Firewall Wizards mailing list archives
PIX and access-lists
From: "Mikael Velschow-Rasmussen" <mvr () nworks dk>
Date: Wed, 26 Dec 2007 10:59:33 +0100
Brian wrote:
... So, my main question, is there an access list command I can have that
basically says "allow all communication from >the dmz to the internet" and one that says "allow communication from the inside to the dmz"? I know I can add >"access-list dmz permit ip host 192.168.1.1 any" and that solves the problem of getting to the internet, but then it >opens all communication to the inside from this host and I don't want to do that. Since this is version 6.3(3) I >can't use an out access-list which I think might solve the problem. I have enough memory to run version 7.x on this >PIX, but I'm trying to tackle one problem at a time and I'm a little hesitant about doing the 7.x upgrade just yet.
...
Before Cisco PIX used access-lists they implemented the following model: - security level defines from which interface to which interface traffic is allowed to initiate. (i.e. all traffic from inside to outside is permitted, and all traffic from outside to inside is denied). - if you wanted traffic from low to high security level to be initiated (i.e. permitted) you would have to use conduit statements (conduit command plus static command typically, to e.g. allow incoming mail traffic). - example: static (inside,outside) public-outside-ip inside-private-ip conduit permit tcp host public-outside-ip eq smtp any - if you wanted to deny traffic from low to high (default was - as seen above - to permit anything) you needed to use the outbound and apply commands. I guess Cisco wanted to bring the IOS command syntax and the PIX syntax closer together. So they implemented access-list commands in the PIX. (there is also more flexibility/features in the acl command structure) With the use of access-lists the need for security levels actually disappear. If you need to implement acl's that complies to the security level model described above just use the following: access-group outside-acl in interface outside access-group inside-acl in interface inside access-list outside-acl deny ip any any access-list inside-acl permit ip any any These 4 lines accomplishes the same as the security level commands in 'old' PIX language. (but I guess Cisco just kept the security level in to ensure that customers not inadvertently opened up the the whole Internet to the inside network) So back to your case ! The following list on your dmz should suffice: access-group dmz-acl in interface dmz access-list dmz-acl permit tcp host dmz-host-ip private-lan-ip/24 eq smtp access-list dmz-acl deny ip any private-lan-ip/24 access-list dmz-acl permit ip any any (note: It's assumed that the private LAN is a /24 subnet. And that there is no NAT between inside and DMZ (i.e. NAT0 rule)) You shouldn't need to change anything under the inside or outside interface since you're already using the above mentioned 4 lines implicitly through the use of security levels. Regards Mikael Velschow-Rasmussen M.Sc.e.e., CCIE #9973, CCSI #22493, INFOSEC, SANS GCFW #0565, HP MASE mvr () nworks dk _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX and access-lists Mikael Velschow-Rasmussen (Dec 26)