access-list questions inside to DMZ interfaces

Unanswered Question
May 17th, 2007

I have some questions regarding an access-list applied tinbound to a DMZ interface.

1. If the firewall is stateful, and the NAT statements are set up correctly, then anyone from an inside interface should be able to access anything on the DMZ interface, with no access-applied correct?

2. the access-list that only permits certain hosts on the inside interface to access the DMZ, is put in place to prevent just anyone on the "inside" interface from accessing the DMZ correct?

3. The below access-list, if it were applied inbound to the DMZ interface goes which way?

How can you tell which direction the traffic flows by looking at the access-list?

The DMZ interface address is 192.168.100.1

Inside interface is 1

0.1.10.1

The access is :

access-list dmz permit tcp host 192.168.100.5 host 10.1.10.15 eq 2100

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vitripat Thu, 05/17/2007 - 15:30

Hi Wilson,

Here are answers to your questions-

1. Correct.

2. Correct.

3. access-list dmz permit tcp host 192.168.100.5 host 10.1.10.15 eq 2100

If this access-list is applied using following command-

access-group dmz in interface dmz

Then it would imply that host 192.168.100.5 is allowed to initiate connection to host 10.1.10.15 on port 2100. However, as 10.1.10.15 is on a higher security-level interface (inside), to permit the connection through, we would also need following static command in place-

static (inside,dmz) 10.1.10.15 10.1.10.15

Also, if the "dmz" ACL contains only one line, all the traffic except what is defined in the list will be denied due to implicit deny at the end.

Hope this helps.

Regards,

Vibhor.

wilson_1234_2 Thu, 05/17/2007 - 16:53

Thank you for the reply,

Does this mean the the traffic is allowed both ways? In the first example:

access-list dmz permit tcp host 192.168.100.5 host 10.1.10.15 eq 2100

The traffic can flow from 192.168.100.5, any port TO 10.1.10.15 on port 2100,

and 10.1.10.15 port 2100 can send traffic TO 192.168.100.5 on any port?

Also

Say for example the traffic was in the other direction, that the host on the DMZ was sending information to the inside interface and the source was port 2100, would it look like this:

access-list dmz permit tcp host 192.168.100.5 eq 2100 host 10.1.10.15

vitripat Fri, 05/18/2007 - 05:34

access-list dmz permit tcp host 192.168.100.5 host 10.1.10.15 eq 2100

This ACL as applied on the DMZ interface as inbound, only controls the traffic initiated from the DMZ and not the traffic initiated from the inside. Once this traffic is initiated, the return traffic from inside to DMZ will automatically flow, PIX being a stateful firewall.

To control what traffic can be initiated from inside interface to other networks, you need ACL applied on the inside interface.

Hence, this ACL-

access-list dmz permit tcp host 192.168.100.5 host 10.1.10.15 eq 2100

does not control what ports can 10.1.10.15 can initiate connection to 192.168.100.5, this can be controlled by ACL applied on inside interface of PIX.

--quoting--

Say for example the traffic was in the other direction, that the host on the DMZ was sending information to the inside interface and the source was port 2100, would it look like this:

access-list dmz permit tcp host 192.168.100.5 eq 2100 host 10.1.10.15

-----------

Absolutely correct .. :-)

Hope this helps.

Regards,

Vibhor.

tbogie_gvds Wed, 05/30/2007 - 21:48

Great dialogue! To fill in the gaps, is it fair to assume the following:

1. To allow the inside host to travese from inside to dmz that there was the following statement nat statement?

nat (inside) 0 10.1.10.5 255.255.255.255

2. Would there also need to be a similar statement for the dmz host like this:

nat (dmz) 0 192.168.100.5 255.255.255.255

Thanks,

Timothy Bogie

Actions

This Discussion