Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

515e - ACL help

I thought I had this figured out but now I don't.

Need inside and dmz if's to have access to www.

Need dmz systems to access specific systems on inside via specific ports.

Need inside systems to talk to dmz systems on specific ports.

I have attached my current running config. What am I doing wrong? Thanks in advance for any help.

Shane

2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: 515e - ACL help

None of that is working?

I would be more specific with this acl and deny ip to inside subnet, change

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

to

access-list ACLDMZ_IN deny ip any 10.10.30.0 255.255.0.0

For inside to talk to dmz you have nothing permitted in your ACL_IN acl except www. Is there a specific reason you are using an ACL_IN, are you restricting inside users from certain things? I assume you have an outside router doing nat?

Green

Re: 515e - ACL help

The easiest way to get traffic from inside to dmz is

static (inside,dmz) netmask

in your case

static (inside,dmz) 10.10.30.1 10.10.30.1 netmask 255.255.255.0

9 REPLIES
Green

Re: 515e - ACL help

None of that is working?

I would be more specific with this acl and deny ip to inside subnet, change

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

to

access-list ACLDMZ_IN deny ip any 10.10.30.0 255.255.0.0

For inside to talk to dmz you have nothing permitted in your ACL_IN acl except www. Is there a specific reason you are using an ACL_IN, are you restricting inside users from certain things? I assume you have an outside router doing nat?

New Member

Re: 515e - ACL help

Stepped out for a bite, sorry....OK, this firewall is for our data center and is for production only. No users are actually attached. What I am trying to make happen is this: Our webserver on the dmz needs to be available for clients from the outside. It needs to communicate with our app and db servers on the inside. All of them need www access for updates and ntp related items etc.... I will make the changes you suggested and try back.. Thanks!

New Member

Re: 515e - ACL help

Also, does this have anything to do with a NAT/Global issue? My self-taught understanding was:

Higher to lower security - use nat/global

Lower to higher security - must use static routes and acl's.

So, for inside to dmz traffic, do I need a nat/global command, or maybe a nat 0 ?

Green

Re: 515e - ACL help

The easiest way to get traffic from inside to dmz is

static (inside,dmz) netmask

in your case

static (inside,dmz) 10.10.30.1 10.10.30.1 netmask 255.255.255.0

Green

Re: 515e - ACL help

It sounds like you don't really need your inside acl then. If you need to restrict traffic from inside to dmz then fine, but if not what is it's purpose, to restrict traffic to outside? If you write it for that purpose you will just have to make sure you allow everything, www, https, dns, ntp etc.

New Member

Re: 515e - ACL help

It worked! I ended up just changing the ace you suggested on the ACLDMZ_IN acl. Both inside and dmz systems can access www as well as each other respectively (per the acl's). Again, much appreciated. 5's across the board!

Question: Is the PIX flexible enough to allow acls' and static routes to be used on any interface inbound or outbound regardless of security level?

Here is what my (working) acl's look like now:

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list acl_out; 4 elements

access-list acl_out line 1 permit tcp any host 10.10.70.65 eq www (hitcnt=0)

access-list acl_out line 2 permit tcp any host 10.10.70.65 eq https (hitcnt=0)

access-list acl_out line 3 permit tcp any host 10.10.70.65 eq ftp (hitcnt=0)

access-list acl_out line 4 permit tcp any host 10.10.70.64 eq www (hitcnt=0)

access-list ACLDMZ_IN; 6 elements

access-list ACLDMZ_IN line 1 permit tcp any host 10.10.20.200 eq 8080 (hitcnt=25)

access-list ACLDMZ_IN line 2 permit tcp any host 10.10.20.190 eq 8080 (hitcnt=12)

access-list ACLDMZ_IN line 3 permit udp any host 10.10.70.234 eq domain (hitcnt=26)

access-list ACLDMZ_IN line 4 permit tcp any any eq www (hitcnt=269)

access-list ACLDMZ_IN line 5 deny ip any 10.10.30.0 255.255.255.0 (hitcnt=0)

access-list ACLDMZ_IN line 6 deny ip any any (hitcnt=0)

Green

Re: 515e - ACL help

Don't confuse a "static" and a "static route" as you've been calling it. This is a static route

route outside 0.0.0.0 0.0.0.0 1.1.1.1

In pix 6 you cannot specify an acl out and interface, only in.

access-group acloutdmz out interface dmz

New Member

Re: 515e - ACL help

Got it - static routes and static nat...I was speaking of nat. So on our version 6.3 acl's are for inbound only. We have the software and ability to upgrade to pix 7.0.... do you recommend?

Green

Re: 515e - ACL help

I'm a big proponent of "if it's not broke, don't fix it"!

Check out the release notes for 7. I wouldn't upgrade only to be able to write acl's "out" an interface. If you want to gear your firwall learning towards the new ASA and away from pix, then upgrading to 7 would help you out.

124
Views
0
Helpful
9
Replies