Internet Access for the DMZ

Unanswered Question
Mar 26th, 2008

Hi,

I just took over management for a PIX running 6.3 only using conduits and outbound statements.

Currently, there is no Internet (or outbound) access allowed generically speaking for the dmz lan.

I have two questions:

What are the thoughts of allowing outbound access to the internet from the DMZ using a nat (dmz) 1 0.0.0.0 0.0.0.0 statement...since it is going to an interface with a lower security level?

If I do not use the NAT statement, how would I do this? Static NAT with OUTBOUND statements?

Any help is appreciated.

Thanks,

Jason

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jesse Wiener Thu, 03/27/2008 - 18:18

I need to say I am not very familiar with conduits and outbound statements. But when I think you can have both types of commands.If not just disregard my post. It would be a good idea to update your config to the use the new commands.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml

You will need nat of some sort in order to get out. The nat statement that you have should work if you have matching global statement with a 1 on the outside interface.

Global (outside) 1 interface, or something similiar.

You do not need to be so generic with 0.0.0.0 0.0.0.0. It is a better policy to only nat traffic for the specific source network, or networks.

You can also do this with a static statement depends on the number ip's you have available to use etc.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/mngacl.html#wp1001958

JORGE RODRIGUEZ Thu, 03/27/2008 - 19:20

Jason,

Previous poster Jesse provided great info and right direction, I just want to provide and share additional info on a key question in your post.

"What are the thoughts of allowing outbound access to the internet from the DMZ "

It all depends on what is connected in your DMZ, for example, at least in my experience you may have systems in DMZ that are external vendor business specific systems that are terminating at your DMZ providing some type of services to your company a good example in my experience is Reuters feeds and other real time market data information provider services, such systems not necesarily requires internet access or company policy does not allow a vendors in DMZ to use company outbound internet, so it varies from a company policies.

You may have different vendors in DMZ and perhaps you may need to allow outbound internet on just a few hosts instead of having the complete DMZ subnet nat(dmz) 1 0 0 wide opened to all hosts in DMZ subnet for outbound internet, instead you could control access per host i.e nat(dmz)1 10.10.10.1 255.255.255.255 .

In the event that inbound connections is required towards a specific DMZ host for www or ftp services etc.. Jesse's links provides perfect example for static nat and access lists.

conduit are similar to access lists and from what I have read best practice not to mix conduits with acls on same config, you can have both but acl takes precedence over conduits statements, or as Jesse suggested you may rewrite those conduits statements into acls, command is no longer available in 7.x code but it gets converted into acl when upgrading to 7.

HTH

Rgds

Jorge

Actions

This Discussion