Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
10
Helpful
6
Replies

Firewall inside, DMZ questions

wilson_1234_2
Level 3
Level 3

‎05-22-2007 07:31 AM - edited ‎03-11-2019 03:18 AM

a few questions:

1. Since the firewall is stateful, does this mean the if a connection is made from a higher security interface to a lower security interface (inside to DMZ), once the connection has been established, that the lower security interface (DMZ) can return the traffic?

2. Does an access-list applied inbound from the DMZ interface to the inside interface work like any access-list which means that implicit deny is at the end of the list? Anything not allowed on the list is denied?

I have a firewall with the list below inbound on the DMZ interface. The inside interface is allowing anything in the 10.0.0.0 subnet.

I have a server, 10.1.10.100 that can access the 192.168.100.5 server in the DMZ.

I do not see how this is so, with the access-list shown below. If the Stateful connection will allow anything from the 10.0.0.0 subnet (allowed on the inside interface), what good is the access-list doing?

access-list dmz permit icmp any any

access-list dmz permit tcp host 192.168.201.5 host 10.1.10.2

access-list dmz permit udp host 192.168.201.5 host 10.1.10.2

access-list dmz permit tcp host 192.168.201.5 host 10.1.10.1

access-list dmz permit udp host 192.168.201.15 host 10.1.10.2

access-list dmz permit tcp host 192.168.201.15 host 10.1.10.1

access-list dmz permit tcp host 192.168.201.5 host 10.1.10.3

rust

access-list dmz permit udp host 192.168.201.5 host 10.1.10.3

access-list dmz permit tcp host 192.168.201.5 host 10.1.10.30 o

RTS

access-list dmz permit tcp host 192.168.100.5 host 10.1.10.5 eq www

access-list dmz permit tcp host 192.168.100.5 host 10.1.10.5 eq https

access-list dmz deny ip any 10.0.0.0 255.0.0.0

access-list dmz permit tcp host 192.168.100.5 any eq https

access-list dmz permit tcp host 192.168.100.5 any eq smtp

access-list dmz permit tcp host 192.168.100.5 any eq www

access-list dmz permit icmp host 192.168.100.5 any object-group icmp

access-list dmz permit udp host 192.168.100.5 any eq domain

access-list dmz permit tcp host 192.168.100.5 any eq ftp

access-list dmz deny ip any 192.168.0.0 255.255.0.0

access-list dmz permit tcp any any eq www

access-list dmz permit tcp any any eq https

access-list dmz permit tcp any any eq ftp

access-list dmz permit udp any any eq domain

Labels:
0 Helpful
6 Replies 6

acomiskey
Level 10
Level 10

‎05-22-2007 07:38 AM

1. Yes

2. Yes

The access list is preventing traffic from originating from the dmz going to the inside. If you want to filter traffic originating from inside going to dmz, then deny this traffic in you inside acl.

0 Helpful

wilson_1234_2
Level 3
Level 3
In response to acomiskey

‎05-22-2007 09:37 AM

Thanks for the reply,

So, the connection is made becuse it originated from the allowed subnet on the inside interface, correct?

The way the access-list is set up means that I could not originate the connection from the DMZ interface,but it is allowed a connection from the inside interface correct?

0 Helpful

acomiskey
Level 10
Level 10
In response to wilson_1234_2

‎05-22-2007 10:31 AM

Yes. For example.

inside = 10.0.0.0

dmz = 192.168.1.0

access-list dmz deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-group dmz in interface dmz

In the above example, 10.0.0.0 would have no problems connecting to 192.168.1.0 as the firewall is stateful. But, 192.168.1.0 could not initiate connection to 10.0.0.0.

If I wanted to restrict access the dmz I would have to do this.

access-list inside deny ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list inside permit ip any any

access-group inside in interface inside

wilson_1234_2
Level 3
Level 3
In response to acomiskey

‎05-22-2007 10:45 AM

Thanks for the reply.

So one last thing:

Would the stateful connection also apply to file transfer?

For example if I want to copy files (using your example)from the 10.0.0.0 inside interface TO the DMZ 192.168.1.0 interface, this would be allowed because of the stateful connection?

And can you tell me why the connection is called "stateful", does it have something to do with the "state" of the originating connetion?

0 Helpful

acomiskey
Level 10
Level 10
In response to wilson_1234_2

‎05-22-2007 10:55 AM

Yes, but you will notice it does not apply to icmp. Therefore if you wanted to ping a machine in the dmz you would have to allow the ping reply back into the dmz interface.

access-list dmz permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 echo-reply

Here, this probably explains it better than I can.

http://en.wikipedia.org/wiki/Stateful_firewall

wilson_1234_2
Level 3
Level 3
In response to acomiskey

‎05-23-2007 07:55 AM

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card