cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
390
Views
0
Helpful
2
Replies

Internet Access for the DMZ

jaye15394
Level 1
Level 1

Hi,

I just took over management for a PIX running 6.3 only using conduits and outbound statements.

Currently, there is no Internet (or outbound) access allowed generically speaking for the dmz lan.

I have two questions:

What are the thoughts of allowing outbound access to the internet from the DMZ using a nat (dmz) 1 0.0.0.0 0.0.0.0 statement...since it is going to an interface with a lower security level?

If I do not use the NAT statement, how would I do this? Static NAT with OUTBOUND statements?

Any help is appreciated.

Thanks,

Jason

2 Replies 2

Jesse Wiener
Level 4
Level 4

I need to say I am not very familiar with conduits and outbound statements. But when I think you can have both types of commands.If not just disregard my post. It would be a good idea to update your config to the use the new commands.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml

You will need nat of some sort in order to get out. The nat statement that you have should work if you have matching global statement with a 1 on the outside interface.

Global (outside) 1 interface, or something similiar.

You do not need to be so generic with 0.0.0.0 0.0.0.0. It is a better policy to only nat traffic for the specific source network, or networks.

You can also do this with a static statement depends on the number ip's you have available to use etc.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/mngacl.html#wp1001958

Jason,

Previous poster Jesse provided great info and right direction, I just want to provide and share additional info on a key question in your post.

"What are the thoughts of allowing outbound access to the internet from the DMZ "

It all depends on what is connected in your DMZ, for example, at least in my experience you may have systems in DMZ that are external vendor business specific systems that are terminating at your DMZ providing some type of services to your company a good example in my experience is Reuters feeds and other real time market data information provider services, such systems not necesarily requires internet access or company policy does not allow a vendors in DMZ to use company outbound internet, so it varies from a company policies.

You may have different vendors in DMZ and perhaps you may need to allow outbound internet on just a few hosts instead of having the complete DMZ subnet nat(dmz) 1 0 0 wide opened to all hosts in DMZ subnet for outbound internet, instead you could control access per host i.e nat(dmz)1 10.10.10.1 255.255.255.255 .

In the event that inbound connections is required towards a specific DMZ host for www or ftp services etc.. Jesse's links provides perfect example for static nat and access lists.

conduit are similar to access lists and from what I have read best practice not to mix conduits with acls on same config, you can have both but acl takes precedence over conduits statements, or as Jesse suggested you may rewrite those conduits statements into acls, command is no longer available in 7.x code but it gets converted into acl when upgrading to 7.

HTH

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: