05-10-2007 08:17 AM - edited 03-11-2019 03:12 AM
I thought I had this figured out but now I don't.
Need inside and dmz if's to have access to www.
Need dmz systems to access specific systems on inside via specific ports.
Need inside systems to talk to dmz systems on specific ports.
I have attached my current running config. What am I doing wrong? Thanks in advance for any help.
Shane
Solved! Go to Solution.
05-10-2007 08:30 AM
None of that is working?
I would be more specific with this acl and deny ip to inside subnet, change
access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0
to
access-list ACLDMZ_IN deny ip any 10.10.30.0 255.255.0.0
For inside to talk to dmz you have nothing permitted in your ACL_IN acl except www. Is there a specific reason you are using an ACL_IN, are you restricting inside users from certain things? I assume you have an outside router doing nat?
05-10-2007 09:48 AM
The easiest way to get traffic from inside to dmz is
static (inside,dmz)
in your case
static (inside,dmz) 10.10.30.1 10.10.30.1 netmask 255.255.255.0
05-10-2007 08:30 AM
None of that is working?
I would be more specific with this acl and deny ip to inside subnet, change
access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0
to
access-list ACLDMZ_IN deny ip any 10.10.30.0 255.255.0.0
For inside to talk to dmz you have nothing permitted in your ACL_IN acl except www. Is there a specific reason you are using an ACL_IN, are you restricting inside users from certain things? I assume you have an outside router doing nat?
05-10-2007 09:40 AM
Stepped out for a bite, sorry....OK, this firewall is for our data center and is for production only. No users are actually attached. What I am trying to make happen is this: Our webserver on the dmz needs to be available for clients from the outside. It needs to communicate with our app and db servers on the inside. All of them need www access for updates and ntp related items etc.... I will make the changes you suggested and try back.. Thanks!
05-10-2007 09:44 AM
Also, does this have anything to do with a NAT/Global issue? My self-taught understanding was:
Higher to lower security - use nat/global
Lower to higher security - must use static routes and acl's.
So, for inside to dmz traffic, do I need a nat/global command, or maybe a nat 0 ?
05-10-2007 09:48 AM
The easiest way to get traffic from inside to dmz is
static (inside,dmz)
in your case
static (inside,dmz) 10.10.30.1 10.10.30.1 netmask 255.255.255.0
05-10-2007 10:10 AM
It sounds like you don't really need your inside acl then. If you need to restrict traffic from inside to dmz then fine, but if not what is it's purpose, to restrict traffic to outside? If you write it for that purpose you will just have to make sure you allow everything, www, https, dns, ntp etc.
05-10-2007 10:37 AM
It worked! I ended up just changing the ace you suggested on the ACLDMZ_IN acl. Both inside and dmz systems can access www as well as each other respectively (per the acl's). Again, much appreciated. 5's across the board!
Question: Is the PIX flexible enough to allow acls' and static routes to be used on any interface inbound or outbound regardless of security level?
Here is what my (working) acl's look like now:
Result of firewall command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list acl_out; 4 elements
access-list acl_out line 1 permit tcp any host 10.10.70.65 eq www (hitcnt=0)
access-list acl_out line 2 permit tcp any host 10.10.70.65 eq https (hitcnt=0)
access-list acl_out line 3 permit tcp any host 10.10.70.65 eq ftp (hitcnt=0)
access-list acl_out line 4 permit tcp any host 10.10.70.64 eq www (hitcnt=0)
access-list ACLDMZ_IN; 6 elements
access-list ACLDMZ_IN line 1 permit tcp any host 10.10.20.200 eq 8080 (hitcnt=25)
access-list ACLDMZ_IN line 2 permit tcp any host 10.10.20.190 eq 8080 (hitcnt=12)
access-list ACLDMZ_IN line 3 permit udp any host 10.10.70.234 eq domain (hitcnt=26)
access-list ACLDMZ_IN line 4 permit tcp any any eq www (hitcnt=269)
access-list ACLDMZ_IN line 5 deny ip any 10.10.30.0 255.255.255.0 (hitcnt=0)
access-list ACLDMZ_IN line 6 deny ip any any (hitcnt=0)
05-10-2007 10:49 AM
Don't confuse a "static" and a "static route" as you've been calling it. This is a static route
route outside 0.0.0.0 0.0.0.0 1.1.1.1
In pix 6 you cannot specify an acl out and interface, only in.
access-group acloutdmz out interface dmz
05-10-2007 11:02 AM
Got it - static routes and static nat...I was speaking of nat. So on our version 6.3 acl's are for inbound only. We have the software and ability to upgrade to pix 7.0.... do you recommend?
05-10-2007 11:45 AM
I'm a big proponent of "if it's not broke, don't fix it"!
Check out the release notes for 7. I wouldn't upgrade only to be able to write acl's "out" an interface. If you want to gear your firwall learning towards the new ASA and away from pix, then upgrading to 7 would help you out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide