Rule to allow machine from DMZ to internal

Unanswered Question
May 16th, 2007
User Badges:

Hi all. Here's the scenario:


PIX 515 v7.22 with 3 interfaces, Inside, Outside, DMZ. Inside=100, Outside=0, DMZ=98


I need to put in a rule to allow a machine from the DMZ (let's say 192.168.100.25) to have access to one machine on the internal network (192.168.25.25), on ports 125 and 325.


Would I need two rules that look like this:


access-list dmz_access_in extended permit tcp 192.168.100.25 eq 325 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 eq 125 host 192.168.25.25 eq 125


Or is there a better way to do this? Thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
acomiskey Wed, 05/16/2007 - 06:30
User Badges:
  • Green, 3000 points or more

get rid of the source ports...


access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125

access-group dmz_access_in in interface DMZ


remember, once you do this you deny everything else into the DMZ interface so you probably want something like this


access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125

access-list dmz_access_in extended deny ip any 192.168.25.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-group dmz_access_in in interface DMZ

vitripat Wed, 05/16/2007 - 06:31
User Badges:
  • Gold, 750 points or more

You need following commands-


static (inside,DMZ) 192.168.25.25 192.168.25.25

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 325

access-list dmz_access_in extended permit tcp 192.168.100.25 host 192.168.25.25 eq 125

access-group dmz_access_in in interface DMZ


Hope that helps.


Regards,

Vibhor.

mwall1 Wed, 05/16/2007 - 10:11
User Badges:

So do I need the Static command, or not? I got 2 answers but they're not exactly saying the same thing...


Thanks

acomiskey Wed, 05/16/2007 - 10:13
User Badges:
  • Green, 3000 points or more

Yes, as Vibhor wrote, you need the static as well. What I was trying to say is if you create an acl into the dmz to restrict traffic inside, you will also restrict the traffic from the dmz to the outside, so if you don't want to do that you must allow it in the acl. That's the only difference in our acl's.

Actions

This Discussion