Firewall inside, DMZ questions

Unanswered Question
May 22nd, 2007
User Badges:

a few questions:


1. Since the firewall is stateful, does this mean the if a connection is made from a higher security interface to a lower security interface (inside to DMZ), once the connection has been established, that the lower security interface (DMZ) can return the traffic?


2. Does an access-list applied inbound from the DMZ interface to the inside interface work like any access-list which means that implicit deny is at the end of the list? Anything not allowed on the list is denied?


I have a firewall with the list below inbound on the DMZ interface. The inside interface is allowing anything in the 10.0.0.0 subnet.


I have a server, 10.1.10.100 that can access the 192.168.100.5 server in the DMZ.


I do not see how this is so, with the access-list shown below. If the Stateful connection will allow anything from the 10.0.0.0 subnet (allowed on the inside interface), what good is the access-list doing?




access-list dmz permit icmp any any


access-list dmz permit tcp host 192.168.201.5 host 10.1.10.2

access-list dmz permit udp host 192.168.201.5 host 10.1.10.2

access-list dmz permit tcp host 192.168.201.5 host 10.1.10.1



access-list dmz permit udp host 192.168.201.15 host 10.1.10.2

access-list dmz permit tcp host 192.168.201.15 host 10.1.10.1

access-list dmz permit tcp host 192.168.201.5 host 10.1.10.3

rust

access-list dmz permit udp host 192.168.201.5 host 10.1.10.3

access-list dmz permit tcp host 192.168.201.5 host 10.1.10.30 o

RTS


access-list dmz permit tcp host 192.168.100.5 host 10.1.10.5 eq www

access-list dmz permit tcp host 192.168.100.5 host 10.1.10.5 eq https

access-list dmz deny ip any 10.0.0.0 255.0.0.0

access-list dmz permit tcp host 192.168.100.5 any eq https

access-list dmz permit tcp host 192.168.100.5 any eq smtp

access-list dmz permit tcp host 192.168.100.5 any eq www

access-list dmz permit icmp host 192.168.100.5 any object-group icmp

access-list dmz permit udp host 192.168.100.5 any eq domain

access-list dmz permit tcp host 192.168.100.5 any eq ftp

access-list dmz deny ip any 192.168.0.0 255.255.0.0

access-list dmz permit tcp any any eq www

access-list dmz permit tcp any any eq https

access-list dmz permit tcp any any eq ftp

access-list dmz permit udp any any eq domain

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Tue, 05/22/2007 - 07:38
User Badges:
  • Green, 3000 points or more

1. Yes

2. Yes


The access list is preventing traffic from originating from the dmz going to the inside. If you want to filter traffic originating from inside going to dmz, then deny this traffic in you inside acl.

wilson_1234_2 Tue, 05/22/2007 - 09:37
User Badges:

Thanks for the reply,


So, the connection is made becuse it originated from the allowed subnet on the inside interface, correct?


The way the access-list is set up means that I could not originate the connection from the DMZ interface,but it is allowed a connection from the inside interface correct?

acomiskey Tue, 05/22/2007 - 10:31
User Badges:
  • Green, 3000 points or more

Yes. For example.


inside = 10.0.0.0

dmz = 192.168.1.0


access-list dmz deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-group dmz in interface dmz


In the above example, 10.0.0.0 would have no problems connecting to 192.168.1.0 as the firewall is stateful. But, 192.168.1.0 could not initiate connection to 10.0.0.0.


If I wanted to restrict access the dmz I would have to do this.


access-list inside deny ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list inside permit ip any any

access-group inside in interface inside



wilson_1234_2 Tue, 05/22/2007 - 10:45
User Badges:

Thanks for the reply.


So one last thing:


Would the stateful connection also apply to file transfer?


For example if I want to copy files (using your example)from the 10.0.0.0 inside interface TO the DMZ 192.168.1.0 interface, this would be allowed because of the stateful connection?


And can you tell me why the connection is called "stateful", does it have something to do with the "state" of the originating connetion?

acomiskey Tue, 05/22/2007 - 10:55
User Badges:
  • Green, 3000 points or more

Yes, but you will notice it does not apply to icmp. Therefore if you wanted to ping a machine in the dmz you would have to allow the ping reply back into the dmz interface.


access-list dmz permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 echo-reply


Here, this probably explains it better than I can.


http://en.wikipedia.org/wiki/Stateful_firewall

Actions

This Discussion