When Apply ACL to DMZ_if - DMZ_if devices lose access to WWW - Why?

Answered Question
May 8th, 2007

When I apply an acl to the DMZ interface I lose the dmz devices connection to the internet? The access-list / access-group I apply works as it should, but internet is gone. When I remove the access-group, internet access comes back. I have tried applying other acl's, nat/global combinations w/no luck. I have added my complete running config for anyone to look at that would be willing to help. I have been self teaching myself this PIX 515e for 3 weeks with help from books, www and friends I think I have part of it figured out.... at least traffic is moving. Any help would be much appreciated.

Shane

Correct Answer by acomiskey about 9 years 9 months ago

No, the acl with "eq domain" is the same as if it said "eq 53" or port 53, which is dns. The pix just changes the number to the word "domain". It will do the same for other ports as well like tcp 21, as it will say "eq ftp". So these two statements are the same thing

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN permit udp any host eq 53

And yes, you will add another line for your other dns server. Remember, the pix looks at the access-list from the top down and will stop at the first match. That is why this works as it does.

Please rate if these help.

Correct Answer by acomiskey about 9 years 9 months ago

Does that make sense? Allow what you want to allow inside to 10.x.x.x, deny everything else inside to 10.x.x.x, then allow everything outside (www, dns etc.).

Correct Answer by acomiskey about 9 years 9 months ago

Because the acl really looks like this

access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLCMZ_IN deny ip any any

edit: read too quickly, where is your dns server for dmz hosts? If it is outside of DMZ you need to allow that traffic. I would write it like this. (if dns server is inside or outside)

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

access-list ACLDMZ_IN permit tcp any any eq www

access-list ACLCMZ_IN deny ip any any

If you are trying to restrict traffic to the inside, do not put the permit for www traffic first, that would allow www to inside as well and would defeat the purpose of filtering the traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
acomiskey Tue, 05/08/2007 - 05:36

Because the acl really looks like this

access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLCMZ_IN deny ip any any

edit: read too quickly, where is your dns server for dmz hosts? If it is outside of DMZ you need to allow that traffic. I would write it like this. (if dns server is inside or outside)

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

access-list ACLDMZ_IN permit tcp any any eq www

access-list ACLCMZ_IN deny ip any any

If you are trying to restrict traffic to the inside, do not put the permit for www traffic first, that would allow www to inside as well and would defeat the purpose of filtering the traffic.

shanemonson Tue, 05/08/2007 - 05:48

DNS servers reside on outside if (currently this is an internal firewall that we are testing in preparation to put into production). Our in-house dns servers are currently on the "outside" if of the pix in it's current config (but are really our internal domain ctrlrs).

The 0.0.0.0 was an attempt to allow www access from the dmz if w/out blocking the rules needed for the two ip's that require 8080 traffic. It didn't work.

Thanks for responding, I am open to ANY suggestions as all my learnings have come from my own research...thanks in advance!

shanemonson Tue, 05/08/2007 - 05:50

Oh! The rest of your message just came through... I hmay have reponded to quickly...I am reading now...

Correct Answer
acomiskey Tue, 05/08/2007 - 06:22

Does that make sense? Allow what you want to allow inside to 10.x.x.x, deny everything else inside to 10.x.x.x, then allow everything outside (www, dns etc.).

shanemonson Tue, 05/08/2007 - 06:33

Most of it does....By the way, that did it! DMZ devices now can access INSIDE devices as well as hit the www. Thanks! Now I need to read up on why those commands worked. If you have time, I have a couple follow-up questions:

The "eq" to domain at the end of this ace..does the pix know it is coming from a domain?

access-list ACLDMZ_IN permit udp any host eq domain

Also, I assume I should add ACE's for both dns servers?

Thanks again for your prompt assistance!

Shane

Col, OH

Correct Answer
acomiskey Tue, 05/08/2007 - 06:38

No, the acl with "eq domain" is the same as if it said "eq 53" or port 53, which is dns. The pix just changes the number to the word "domain". It will do the same for other ports as well like tcp 21, as it will say "eq ftp". So these two statements are the same thing

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN permit udp any host eq 53

And yes, you will add another line for your other dns server. Remember, the pix looks at the access-list from the top down and will stop at the first match. That is why this works as it does.

Please rate if these help.

shanemonson Tue, 05/08/2007 - 06:46

Oh, that's right... I remember reading that somewhere (my brain is pix mush at this point)..... And yes, I forgot how important the order of the ace's are in an acl. Got it.

Rated you a "5"... would go 10 if I could. Much thanks from pix greenie in Col, Ohio. I'm not done with it though - a few more tests before it goes into prod. You may see more ?'s from me. Again, much obliged.

Shane

acomiskey Tue, 05/08/2007 - 06:49

You could rate my first post a 5 and that would give me 10! haha

glad i could help.

Actions

This Discussion