Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
5
Replies

Outside Restrictions to DMZ

Go to solution
bsprankle217
Level 1
Level 1

‎11-14-2007 07:32 AM - edited ‎03-09-2019 07:23 PM

I am trying to deny a IP address from connecting to my Mail Filter located in the DMZ, I have a PIX 515e. My Mail Filter is being attacked and i want to prevent the Attacking IP for connecting to it.

Here is my Current DMZ Conf.

nameif ethernet2 dmz security4

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.203 eq smtp

access-list ACL_DMZ permit tcp host 192.168.0.10 10.1.1.0 255.255.255.0 eq 8000

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.210 eq domain

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.211 eq domain

access-list ACL_DMZ permit icmp host 192.168.0.10 10.1.1.0 255.255.255.0

access-list ACL_DMZ permit udp any any

access-list ACL_DMZ permit tcp any any

access-list ACL_DMZ permit tcp host 192.168.0.10 10.1.2.0 255.255.255.0 eq 8000

access-list ACL_DMZ permit icmp host 192.168.0.10 10.1.2.0 255.255.255.0

access-list ACL_DMZ deny ip host 65.84.81.240 any

access-group ACL_DMZ in interface dmz

Thank you for your assistance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to bsprankle217

‎11-14-2007 07:42 AM

I'm assuming at 65.84.81.240 is the IP you want to block from hitting your mail server. The line above it is permitting it, so you will need to move this line:

access-list ACL_OUTSIDE deny ip host 65.84.81.240 any

above this line:

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

To do that you will have to remove each and then add in the correct order. It would be best to do that in notepad and then copy-n-paste into the firewall.

For example:

no access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

This will remove then add the line to the bottom of the ACL.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-14-2007 07:34 AM

If you want to block an intruder from the outside in to your DMZ, you need to adjust your outside ACL, not the DMZ ACL. The ACL above and the way it is applied determines what machines on your DMZ are allowed to out of the DMZ interface.

HTH and please rate.

0 Helpful

Go to solution
bsprankle217
Level 1
Level 1
In response to Collin Clark

‎11-14-2007 07:38 AM

This is part of my Outside ACL, Please take a look and see if you can see any problems.

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

access-list ACL_OUTSIDE deny ip host 65.84.81.240 any

access-group ACL_OUTSIDE in interface outside

Thanks

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to bsprankle217

‎11-14-2007 07:42 AM

I'm assuming at 65.84.81.240 is the IP you want to block from hitting your mail server. The line above it is permitting it, so you will need to move this line:

access-list ACL_OUTSIDE deny ip host 65.84.81.240 any

above this line:

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

To do that you will have to remove each and then add in the correct order. It would be best to do that in notepad and then copy-n-paste into the firewall.

For example:

no access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

This will remove then add the line to the bottom of the ACL.

0 Helpful

Go to solution
elparis
Cisco Employee
Cisco Employee

‎11-14-2007 07:41 AM

You are looking at the wrong access control list - attack traffic is most likely coming from the outside, so you need to block attack traffic with an access control entry for the access list applied to the outside interface. In other words, you do not need to modify the ACL applied to the DMZ interface because that's only used to control traffic that is generated by machines in the DMZ, not traffic destined to those machines.

A note about the access list called "ACL_DMZ": that ACL permits all TCP and UDP traffic - the "deny ip host 65.84.81.240 any" and the bottom of the ACL is not really doing anything.

0 Helpful

Go to solution
tripvdi0.bsoares
Level 1
Level 1

‎11-14-2007 08:04 AM

Hi person,

Your access-list is not correctly organized.

The basic idea for all ACL is the following:

- Evaluate rules by rule, of top at down.

- When a rule match the packet under analysis, take the action of this rules.

- No more rules will be evaluated for this packet.

By this way, when the attacker`s traffic pass through your pix, will be evaluated against rules and certainly will be matched by the rule

"access-list ACL_DMZ permit udp any any"

or

"access-list ACL_DMZ permit tcp any any"

The correct practice is to place the "permit tpc|udp any any" as last rules in the ACL.

Then the deny will be evaluated and matched (for the attacker`s traffic) and other all traffic will be pass throug your pix.

Regards,

Me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents