access-list on dmz

prashantrecon · ‎03-04-2012

Hi

On firewall we have zone created for dmz and ip is 192.x.x.x and it is connected to 2950 switch(DMZ switch) with vlan 25

We have L3 switch on this we have created vlan 25 and connected cable from L3 with 2950 switch with vlan 25

As we have the servers on L3 and wanted to bring on dmz zone we have connected a cable.

access -list isa as belows

static (dmz,outside) 202.x.x.x 192.x.x.x netmask 255.255.255.255

access-list out extended permit ip any host 202.x.x.x

access-group out in interface outside.

Now the problem is when i connect a pc on 2950 switch (directly on dmz switch) with access-list below we are not geeting any hist on it.

static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255

access-list dmzin extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255

acess-group dmzin in inetrface dmz

Everything is working fine when i use the access-list out as follows

static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255

access-list out extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255

access-group out in interface outside.

can u explain why this is happening ?

svaish · ‎03-05-2012

static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255

access-list out extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255

access-group out in interface outside.

These are the correct commands that you are using and hence everything is working fine.

To allow access from outside you need to apply access-list on the outside interface and not on the DMZ interface.

Sachin

prashantrecon · ‎03-05-2012

So any server exposed on dmz which is need to accesss from outside in that case access-list has to be applied on outside interface

As they have connected cable from l3 to 2950 switch to bring all servers in dmz zone is it recomended?

what are the drawbacks if i continute that connectivity please let me know

svaish · ‎03-05-2012

Yes it is recommended.

There is no drawback to it since you are allowing access on the outside interface to the public ip address.

The traffic is still going through a stateful firewall and any malicious activity on the packet should be detected.

Also if you do not allow the access on the outside inteface for the public ip address the firewall will drop the initial sYN packet itself.

read this

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t7

Most organizations need to allow untrusted hosts access to resources in their trusted network. A common example is an internal web server. By default, the PIX denies connections from outside hosts to inside hosts. In order to allow this connection in NAT control mode, use the static command, with access-list and access-group commands. If NAT control is disabled, only the access-list and access-group commands are required, if no translation is performed.

Apply ACLs to interfaces with an access-group command. This command associates the ACL with the interface to examine traffic that flows in a particular direction.

In contrast to the nat and global commands which allow inside hosts out, the static command creates a two-way translation that allows inside hosts out and outside hosts in if you add the proper ACLs/groups.

In the PAT configuration examples shown in this document, if an outside host tries to connect to the global address, it can be used by thousands of inside hosts. The static command creates a one-to-one mapping. The access-list command defines what type of connection is allowed to an inside host and is always required when a lower security host connects to a higher security host. The access-list command is based on both port and protocol and can be very permissive or very restrictive, based on what the system administrator wants to achieve.

The network diagram in this document illustrates the use of these commands in order to configure the PIX to allow any untrusted hosts to connect to the inside web server, and allow untrusted host 192.168.1.1 access to an FTP service on the same machine.

Use ACLs on PIX Versions 7.0 and Later

Complete these steps for PIX software versions 7.0 and later with the use of ACLs.

If NAT control is enabled, define a static address translation for the inside web server to an outside/global address.

static (inside, outside) 172.16.1.16 10.16.1.16

Define which hosts can connect on which ports to your web/FTP server.

access-list 101 permit tcp any host 172.16.1.16 eq www

access-list 101 permit tcp host 192.168.1.1 host 172.16.1.16 eq ftp

Apply the ACL to the outside interface.

access-group 101 in interface outside

Regards,

Sachin

prashantrecon · ‎03-05-2012

Hi svaish,

My concern here is regarding the cable connectivity.

shijomon scaria · ‎03-05-2012

Hi,

If you can, post a diagram also, that would be esier to understand the scenario.

Rgds,

Shijo.

svaish · ‎03-05-2012

AFAIK, cable connectivity should be ok as long as you configure your default dateway and the routing properly.

Regards,

Sachin