PIX and access-lists

["Mikael Velschow-Rasmussen" <mvr () nworks dk>]

Brian wrote:
> ...
> So, my main question, is there an access list command I can have that
basically says "allow all communication from >the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add >"access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it >opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I >can't use an out access-list which
I think might solve the problem. I have enough memory to run version 7.x
on this >PIX, but I'm trying to tackle one problem at a time and I'm a
little hesitant about doing the 7.x upgrade just yet.
> ...

Before Cisco PIX used access-lists they implemented the following model:
 - security level defines from which interface to which interface
traffic is allowed to initiate. (i.e. all traffic from inside to outside
is permitted, and all traffic from outside to inside is denied).
 - if you wanted traffic from low to high security level to be initiated
(i.e. permitted) you would have to use conduit statements (conduit
command plus static command typically, to e.g. allow incoming mail
traffic).
 - example:
static (inside,outside) public-outside-ip inside-private-ip
conduit permit tcp host public-outside-ip eq smtp any
 - if you wanted to deny traffic from low to high (default was - as seen
above - to permit anything) you needed to use the outbound and apply
commands.

I guess Cisco wanted to bring the IOS command syntax and the PIX syntax
closer together. So they implemented access-list commands in the PIX.
(there is also more flexibility/features in the acl command structure)

With the use of access-lists the need for security levels actually
disappear. If you need to implement acl's that complies to the security
level model described above just use the following:
access-group outside-acl in interface outside
access-group inside-acl in interface inside
access-list outside-acl deny ip any any
access-list inside-acl permit ip any any
These 4 lines accomplishes the same as the security level commands in
'old' PIX language.
(but I guess Cisco just kept the security level in to ensure that
customers not inadvertently opened up the the whole Internet to the
inside network)

So back to your case !
The following list on your dmz should suffice:
access-group dmz-acl in interface dmz
access-list dmz-acl permit tcp host dmz-host-ip private-lan-ip/24 eq
smtp
access-list dmz-acl deny ip any private-lan-ip/24
access-list dmz-acl permit ip any any
(note: It's assumed that the private LAN is a /24 subnet. And that there
is no NAT between inside and DMZ (i.e. NAT0 rule))
You shouldn't need to change anything under the inside or outside
interface since you're already using the above mentioned 4 lines
implicitly through the use of security levels.

Regards
Mikael Velschow-Rasmussen
M.Sc.e.e., CCIE #9973, CCSI #22493,
INFOSEC, SANS GCFW #0565, HP MASE 
mvr () nworks dk
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards