Access from lower security interface to higher

Answered Question

I've got two internal networks, y and z. y is the most secure, and is allowed access to z. Both are allowed full access to the internet and some hosts across a vpn tunnel. I'm trying to add a rule to allow hosts on z to access a single host on y (port 9999).


Relevant config bits follow:


interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Ethernet0/2

nameif y

security-level 100

ip address y.y.y.y 255.255.255.0

!

interface Ethernet0/2.1

vlan zzzz

nameif z

security-level 50

ip address z.z.z.z 255.255.255.0

!


access-list y_outbound_nat0 extended permit ip y.y.y.0 255.255.255.0 z.z.z.0 255.255.255.0


access-list z_outbound_nat0 extended permit ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0


access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999


access-group z_to_y in interface z


nat-control

global (outside) 1 interface

global (y) 3 interface

global (z) 4 interface

nat (y) 0 access-list y_outbound_nat0

nat (y) 1 y.y.y.0 255.255.255.0

nat (z) 0 access-list z_outbound_nat0

nat (z) 1 z.z.z.0 255.255.255.0



The config above partially works, in that it allows z to access the host on y, but it also denies access across the vpn and (I think) the internet. I assume this is because the access-list z_to_y has the implicit deny any any at the end. What is the right way to accomplish this?


I was considering the following, but wasn't sure if it was the right solution (or if it would work correctly):


access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999

access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any

access-group z_to_y in interface y



Also, I read a thread that advocated against using nat0 rules except for VPN? Indicating to use static statements instead...Just wondering if anyone knows the rationale behind that, since I obviously am using nat0 rules to not nat between internal networks.

Correct Answer by Jon Marshall about 8 years 5 months ago

Jason


access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999

access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any

access-group z_to_y in interface y


If you use this then any machines on dmz z can access any machines on y as long as there is a NAT translation for it.


So add in a deny from all the dmz machines on z to internal network y after the specific permit rule.



access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999

access-list z_to_y extended deny ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0

access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any

access-group z_to_y in interface


I have always used static statements myself for presenting the same addresses to another interface eg.


static (inside,dmz) y.y.y.0 y.y.y.0 netmask 255.255.255.0


Obviously you will need a dynamic nat for going out to the Internet unless of course all your IP's on the dmz and inside are Internet routable.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 12/11/2008 - 11:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999

access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any

access-group z_to_y in interface y


If you use this then any machines on dmz z can access any machines on y as long as there is a NAT translation for it.


So add in a deny from all the dmz machines on z to internal network y after the specific permit rule.



access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999

access-list z_to_y extended deny ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0

access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any

access-group z_to_y in interface


I have always used static statements myself for presenting the same addresses to another interface eg.


static (inside,dmz) y.y.y.0 y.y.y.0 netmask 255.255.255.0


Obviously you will need a dynamic nat for going out to the Internet unless of course all your IP's on the dmz and inside are Internet routable.


Jon

Jon,


Thanks, I went ahead and tried what you suggested and it is working fine now. It just seemed excessive to me to have to specify deny statements for each internal network and then add the allow any rule, but I guess that is just how it has to be. I don't make firewall changes very often, so it is always difficult for me to get back in the Cisco mindset.


Thanks,

--

Jason

Actions

This Discussion