×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

access-list on dmz

Unanswered Question
Mar 4th, 2012
User Badges:

Hi



On firewall we have zone created for dmz and ip is 192.x.x.x and it is connected to 2950 switch(DMZ switch)  with vlan 25



We have L3 switch on this we have created vlan 25 and connected cable from L3 with 2950 switch with vlan 25







As we have the servers on L3 and wanted to bring on dmz zone  we have connected a cable.



access -list isa as belows



static (dmz,outside) 202.x.x.x 192.x.x.x netmask 255.255.255.255



access-list out extended permit ip any host 202.x.x.x



access-group out in interface outside.





Now the problem is when i connect a pc on 2950 switch (directly on dmz switch) with access-list below we are not geeting any hist on it.



static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255

access-list dmzin extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255

acess-group dmzin in inetrface dmz









Everything is working fine when i use the access-list out as follows





static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255



access-list out  extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255

access-group out in interface outside.



can u explain why this is happening ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
svaish Mon, 03/05/2012 - 00:25
User Badges:

static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255

access-list out  extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255

access-group out in interface outside.


These are the correct commands that you are using and hence everything is working fine.


To allow access from outside you need to apply access-list on the outside interface and not on the DMZ interface.


Sachin

prashantrecon Mon, 03/05/2012 - 01:47
User Badges:

So any server exposed on dmz which is need to accesss from outside in that case access-list has to be applied on outside interface







As they  have connected cable from l3 to 2950 switch to bring all servers in dmz zone is it recomended?



what  are the drawbacks if i continute that connectivity please let me know

svaish Mon, 03/05/2012 - 02:10
User Badges:

Yes it is recommended.


There is no drawback to it since you are allowing access on the outside interface to the public ip address.


The traffic is still going through a stateful firewall and any malicious activity on the packet should be detected.


Also if you do not allow the access on the outside inteface for the public ip address the firewall will drop the initial sYN packet itself.


read this

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t7



Most organizations need to allow untrusted hosts access to resources in their trusted network. A common example is an internal web server. By default, the PIX denies connections from outside hosts to inside hosts. In order to allow this connection in NAT control mode, use the static command, with access-list and access-group commands. If NAT control is disabled, only the access-list and access-group commands are required, if no translation is performed.


Apply ACLs to interfaces with an access-group command. This command associates the ACL with the interface to examine traffic that flows in a particular direction.


In contrast to the nat and global commands which allow inside hosts out, the static command creates a two-way translation that allows inside hosts out and outside hosts in if you add the proper ACLs/groups.


In the PAT configuration examples shown in this document, if an outside host tries to connect to the global address, it can be used by thousands of inside hosts. The static command creates a one-to-one mapping. The access-list command defines what type of connection is allowed to an inside host and is always required when a lower security host connects to a higher security host. The access-list command is based on both port and protocol and can be very permissive or very restrictive, based on what the system administrator wants to achieve.


The network diagram in this document illustrates the use of these commands in order to configure the PIX to allow any untrusted hosts to connect to the inside web server, and allow untrusted host 192.168.1.1 access to an FTP service on the same machine.

Use ACLs on PIX Versions 7.0 and Later


Complete these steps for PIX software versions 7.0 and later with the use of ACLs.


    If NAT control is enabled, define a static address translation for the inside web server to an outside/global address.


        static (inside, outside)  172.16.1.16 10.16.1.16


    Define which hosts can connect on which ports to your web/FTP server.


        access-list 101 permit tcp any host  172.16.1.16 eq www

        access-list 101 permit tcp host  192.168.1.1 host  172.16.1.16 eq ftp     


    Apply the ACL to the outside interface.


        access-group 101 in interface outside     



Regards,

Sachin

prashantrecon Mon, 03/05/2012 - 23:11
User Badges:

Hi svaish,


My concern here is regarding the cable connectivity.

shijomon scaria Mon, 03/05/2012 - 23:19
User Badges:

Hi,


If you can, post a diagram also, that would be esier to understand the scenario.


Rgds,

Shijo.

svaish Mon, 03/05/2012 - 23:20
User Badges:

AFAIK, cable connectivity should be ok as long as you configure your default dateway and the routing properly.


Regards,

Sachin

Actions

This Discussion