PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Unanswered Question
Jan 11th, 2008
User Badges:

Is this a bug or am I missing a rule policy? When I add in ACLs rules to restrict access from DMZ to INSIDE... all outbound traffic via OUTSIDE interface is blocked! Rules work fine for DMZ to INSIDE. IF I put back any any access all is OK again.

ACCESS but virtualy shuts down my firewall.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 01/11/2008 - 15:09
User Badges:
  • Green, 3000 points or more

Robert, from low security level to high security level access is already restricted, so to allow traffic from DMZ to inside then you permit the access to inside via acl.. so something is not quite right with the acl you are working with that would block outbound connection via outside interface or causing a complete firewall shut.. what version of pix are you running..


Rgds

Jorge

robert6755 Sat, 01/12/2008 - 06:50
User Badges:

Jorge


Ver 7.05.

The 4 rules are nothing fancy.

Ex. access-list dmz-to-inside extended permit tcp host serverA any eq 1433.


But it does virtually shut down the firewall.

robert6755 Sat, 01/12/2008 - 06:54
User Badges:

Jorge another thing...


I am using NAT on the INSIDE network.

Do I need to add in explicit static routes out?

JORGE RODRIGUEZ Sat, 01/12/2008 - 08:56
User Badges:
  • Green, 3000 points or more

Robert,from what you are discribing that virtually shuts down firewall while making changes , this most definately indicates software problems, I would recommend you to query the bug tools resource database on your version of code at http://www.cisco.com/en/US/support/index.html


As for your other question on "NAT inside ad explicit static routes out?" if I understand correctly you mean outbound traffic to internet? if so yes, you need to define a default route, in other words there must either exist a default route by staic means or default route injected by a routing protocol, but the most common scenarion would be a static default route.


e.g

The default route nat inside and global outside example would be somthing like this for your inside host to get outbound traffic.



route outside 0.0.0.0 0.0.0.0 1


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside ) 1 interface



Rgds

Jorge


acomiskey Sat, 01/12/2008 - 11:35
User Badges:
  • Green, 3000 points or more

I'm sure what you did was forget that there is an explicit deny ip any any at the end of your acl. What you need to do is permit the traffic from the dmz to inside, deny all other traffic from dmz to inside, then permit ip any any. This will allow the dmz to get to the outside. For instance...


access-list dmz-to-inside extended permit tcp host serverA any eq 1433

access-list dmz-to-inside extended permit tcp host serverB any eq 1433

access-list dmz-to-inside deny ip

access-list dmz-to-inside permit ip any any

robert6755 Wed, 01/16/2008 - 06:24
User Badges:

Acomiskey


What you suggest led to the solution although with some modification. The deny statements had to be specific for the servers on the Inside. I did this by creating a network object-group and put a rule in to deny access to the group.


If I used "any any" then all access outbound, dmz and inside, was shutdown.


Example:

object-group network db_servers


access-list dmz-to-inside extended permit tcp host serverA any eq 1433

access-list dmz-to-inside extended permit tcp host serverB any eq 1433

access-list dmz-to-inside extended deny ip any object-group db_servers

access-list dmz-to-inside permit ip any any


Thanks for pointing me in the right direction.

robert6755 Wed, 01/16/2008 - 06:26
User Badges:

Resolved by modifying deny statement


Last post was the solution.

Actions

This Discussion