515e - ACL help

Answered Question
May 10th, 2007

I thought I had this figured out but now I don't.

Need inside and dmz if's to have access to www.

Need dmz systems to access specific systems on inside via specific ports.

Need inside systems to talk to dmz systems on specific ports.

I have attached my current running config. What am I doing wrong? Thanks in advance for any help.

Shane

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 months ago

The easiest way to get traffic from inside to dmz is

static (inside,dmz) netmask

in your case

static (inside,dmz) 10.10.30.1 10.10.30.1 netmask 255.255.255.0

Correct Answer by acomiskey about 9 years 6 months ago

None of that is working?

I would be more specific with this acl and deny ip to inside subnet, change

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

to

access-list ACLDMZ_IN deny ip any 10.10.30.0 255.255.0.0

For inside to talk to dmz you have nothing permitted in your ACL_IN acl except www. Is there a specific reason you are using an ACL_IN, are you restricting inside users from certain things? I assume you have an outside router doing nat?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
acomiskey Thu, 05/10/2007 - 08:30

None of that is working?

I would be more specific with this acl and deny ip to inside subnet, change

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

to

access-list ACLDMZ_IN deny ip any 10.10.30.0 255.255.0.0

For inside to talk to dmz you have nothing permitted in your ACL_IN acl except www. Is there a specific reason you are using an ACL_IN, are you restricting inside users from certain things? I assume you have an outside router doing nat?

shanemonson Thu, 05/10/2007 - 09:40

Stepped out for a bite, sorry....OK, this firewall is for our data center and is for production only. No users are actually attached. What I am trying to make happen is this: Our webserver on the dmz needs to be available for clients from the outside. It needs to communicate with our app and db servers on the inside. All of them need www access for updates and ntp related items etc.... I will make the changes you suggested and try back.. Thanks!

shanemonson Thu, 05/10/2007 - 09:44

Also, does this have anything to do with a NAT/Global issue? My self-taught understanding was:

Higher to lower security - use nat/global

Lower to higher security - must use static routes and acl's.

So, for inside to dmz traffic, do I need a nat/global command, or maybe a nat 0 ?

Correct Answer
acomiskey Thu, 05/10/2007 - 09:48

The easiest way to get traffic from inside to dmz is

static (inside,dmz) netmask

in your case

static (inside,dmz) 10.10.30.1 10.10.30.1 netmask 255.255.255.0

acomiskey Thu, 05/10/2007 - 10:10

It sounds like you don't really need your inside acl then. If you need to restrict traffic from inside to dmz then fine, but if not what is it's purpose, to restrict traffic to outside? If you write it for that purpose you will just have to make sure you allow everything, www, https, dns, ntp etc.

shanemonson Thu, 05/10/2007 - 10:37

It worked! I ended up just changing the ace you suggested on the ACLDMZ_IN acl. Both inside and dmz systems can access www as well as each other respectively (per the acl's). Again, much appreciated. 5's across the board!

Question: Is the PIX flexible enough to allow acls' and static routes to be used on any interface inbound or outbound regardless of security level?

Here is what my (working) acl's look like now:

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list acl_out; 4 elements

access-list acl_out line 1 permit tcp any host 10.10.70.65 eq www (hitcnt=0)

access-list acl_out line 2 permit tcp any host 10.10.70.65 eq https (hitcnt=0)

access-list acl_out line 3 permit tcp any host 10.10.70.65 eq ftp (hitcnt=0)

access-list acl_out line 4 permit tcp any host 10.10.70.64 eq www (hitcnt=0)

access-list ACLDMZ_IN; 6 elements

access-list ACLDMZ_IN line 1 permit tcp any host 10.10.20.200 eq 8080 (hitcnt=25)

access-list ACLDMZ_IN line 2 permit tcp any host 10.10.20.190 eq 8080 (hitcnt=12)

access-list ACLDMZ_IN line 3 permit udp any host 10.10.70.234 eq domain (hitcnt=26)

access-list ACLDMZ_IN line 4 permit tcp any any eq www (hitcnt=269)

access-list ACLDMZ_IN line 5 deny ip any 10.10.30.0 255.255.255.0 (hitcnt=0)

access-list ACLDMZ_IN line 6 deny ip any any (hitcnt=0)

acomiskey Thu, 05/10/2007 - 10:49

Don't confuse a "static" and a "static route" as you've been calling it. This is a static route

route outside 0.0.0.0 0.0.0.0 1.1.1.1

In pix 6 you cannot specify an acl out and interface, only in.

access-group acloutdmz out interface dmz

shanemonson Thu, 05/10/2007 - 11:02

Got it - static routes and static nat...I was speaking of nat. So on our version 6.3 acl's are for inbound only. We have the software and ability to upgrade to pix 7.0.... do you recommend?

acomiskey Thu, 05/10/2007 - 11:45

I'm a big proponent of "if it's not broke, don't fix it"!

Check out the release notes for 7. I wouldn't upgrade only to be able to write acl's "out" an interface. If you want to gear your firwall learning towards the new ASA and away from pix, then upgrading to 7 would help you out.

Actions

This Discussion