03-04-2012 11:54 PM - edited 03-11-2019 03:38 PM
Hi
On firewall we have zone created for dmz and ip is 192.x.x.x and it is connected to 2950 switch(DMZ switch) with vlan 25
We have L3 switch on this we have created vlan 25 and connected cable from L3 with 2950 switch with vlan 25
As we have the servers on L3 and wanted to bring on dmz zone we have connected a cable.
access -list isa as belows
static (dmz,outside) 202.x.x.x 192.x.x.x netmask 255.255.255.255
access-list out extended permit ip any host 202.x.x.x
access-group out in interface outside.
Now the problem is when i connect a pc on 2950 switch (directly on dmz switch) with access-list below we are not geeting any hist on it.
static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255
access-list dmzin extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255
acess-group dmzin in inetrface dmz
Everything is working fine when i use the access-list out as follows
static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255
access-list out extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255
access-group out in interface outside.
can u explain why this is happening ?
03-05-2012 12:25 AM
static (dmz,outside) 202.x.x.x 192.x.x.x netmask255.255.255.255
access-list out extended permit ip 202.x.x.x 192.x.x.x netmask 255.255.255.255
access-group out in interface outside.
These are the correct commands that you are using and hence everything is working fine.
To allow access from outside you need to apply access-list on the outside interface and not on the DMZ interface.
Sachin
03-05-2012 01:47 AM
So any server exposed on dmz which is need to accesss from outside in that case access-list has to be applied on outside interface
As they have connected cable from l3 to 2950 switch to bring all servers in dmz zone is it recomended?
what are the drawbacks if i continute that connectivity please let me know
03-05-2012 02:10 AM
Yes it is recommended.
There is no drawback to it since you are allowing access on the outside interface to the public ip address.
The traffic is still going through a stateful firewall and any malicious activity on the packet should be detected.
Also if you do not allow the access on the outside inteface for the public ip address the firewall will drop the initial sYN packet itself.
read this
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t7
Most organizations need to allow untrusted hosts access to resources in their trusted network. A common example is an internal web server. By default, the PIX denies connections from outside hosts to inside hosts. In order to allow this connection in NAT control mode, use the static command, with access-list and access-group commands. If NAT control is disabled, only the access-list and access-group commands are required, if no translation is performed.
Apply ACLs to interfaces with an access-group command. This command associates the ACL with the interface to examine traffic that flows in a particular direction.
In contrast to the nat and global commands which allow inside hosts out, the static command creates a two-way translation that allows inside hosts out and outside hosts in if you add the proper ACLs/groups.
In the PAT configuration examples shown in this document, if an outside host tries to connect to the global address, it can be used by thousands of inside hosts. The static command creates a one-to-one mapping. The access-list command defines what type of connection is allowed to an inside host and is always required when a lower security host connects to a higher security host. The access-list command is based on both port and protocol and can be very permissive or very restrictive, based on what the system administrator wants to achieve.
The network diagram in this document illustrates the use of these commands in order to configure the PIX to allow any untrusted hosts to connect to the inside web server, and allow untrusted host 192.168.1.1 access to an FTP service on the same machine.
Use ACLs on PIX Versions 7.0 and Later
Complete these steps for PIX software versions 7.0 and later with the use of ACLs.
If NAT control is enabled, define a static address translation for the inside web server to an outside/global address.
static (inside, outside) 172.16.1.16 10.16.1.16
Define which hosts can connect on which ports to your web/FTP server.
access-list 101 permit tcp any host 172.16.1.16 eq www
access-list 101 permit tcp host 192.168.1.1 host 172.16.1.16 eq ftp
Apply the ACL to the outside interface.
access-group 101 in interface outside
Regards,
Sachin
03-05-2012 11:11 PM
Hi svaish,
My concern here is regarding the cable connectivity.
03-05-2012 11:19 PM
Hi,
If you can, post a diagram also, that would be esier to understand the scenario.
Rgds,
Shijo.
03-05-2012 11:20 PM
AFAIK, cable connectivity should be ok as long as you configure your default dateway and the routing properly.
Regards,
Sachin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: