Rule to allow machine from DMZ to internal

Unanswered Question
May 16th, 2007

Hi all. Here's the scenario:

PIX 515 v7.22 with 3 interfaces, Inside, Outside, DMZ. Inside=100, Outside=0, DMZ=98

I need to put in a rule to allow a machine from the DMZ (let's say 192.168.100.25) to have access to one machine on the internal network (192.168.25.25), on ports 125 and 325.

Would I need two rules that look like this:

access-list dmz_access_in extended permit tcp 192.168.100.25 eq 325 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 eq 125 host 192.168.25.25 eq 125

Or is there a better way to do this? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
acomiskey Wed, 05/16/2007 - 06:30

get rid of the source ports...

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125

access-group dmz_access_in in interface DMZ

remember, once you do this you deny everything else into the DMZ interface so you probably want something like this

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125

access-list dmz_access_in extended deny ip any 192.168.25.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-group dmz_access_in in interface DMZ

vitripat Wed, 05/16/2007 - 06:31

You need following commands-

static (inside,DMZ) 192.168.25.25 192.168.25.25

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125

access-group dmz_access_in in interface DMZ

Hope that helps.

Regards,

Vibhor.

mwall1 Wed, 05/16/2007 - 10:11

So do I need the Static command, or not? I got 2 answers but they're not exactly saying the same thing...

Thanks

acomiskey Wed, 05/16/2007 - 10:13

Yes, as Vibhor wrote, you need the static as well. What I was trying to say is if you create an acl into the dmz to restrict traffic inside, you will also restrict the traffic from the dmz to the outside, so if you don't want to do that you must allow it in the acl. That's the only difference in our acl's.

Actions

This Discussion