12-11-2008 10:47 AM - edited 03-11-2019 07:24 AM
I've got two internal networks, y and z. y is the most secure, and is allowed access to z. Both are allowed full access to the internet and some hosts across a vpn tunnel. I'm trying to add a rule to allow hosts on z to access a single host on y (port 9999).
Relevant config bits follow:
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/2
nameif y
security-level 100
ip address y.y.y.y 255.255.255.0
!
interface Ethernet0/2.1
vlan zzzz
nameif z
security-level 50
ip address z.z.z.z 255.255.255.0
!
access-list y_outbound_nat0 extended permit ip y.y.y.0 255.255.255.0 z.z.z.0 255.255.255.0
access-list z_outbound_nat0 extended permit ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0
access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999
access-group z_to_y in interface z
nat-control
global (outside) 1 interface
global (y) 3 interface
global (z) 4 interface
nat (y) 0 access-list y_outbound_nat0
nat (y) 1 y.y.y.0 255.255.255.0
nat (z) 0 access-list z_outbound_nat0
nat (z) 1 z.z.z.0 255.255.255.0
The config above partially works, in that it allows z to access the host on y, but it also denies access across the vpn and (I think) the internet. I assume this is because the access-list z_to_y has the implicit deny any any at the end. What is the right way to accomplish this?
I was considering the following, but wasn't sure if it was the right solution (or if it would work correctly):
access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999
access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any
access-group z_to_y in interface y
Also, I read a thread that advocated against using nat0 rules except for VPN? Indicating to use static statements instead...Just wondering if anyone knows the rationale behind that, since I obviously am using nat0 rules to not nat between internal networks.
Solved! Go to Solution.
12-11-2008 11:20 AM
Jason
access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999
access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any
access-group z_to_y in interface y
If you use this then any machines on dmz z can access any machines on y as long as there is a NAT translation for it.
So add in a deny from all the dmz machines on z to internal network y after the specific permit rule.
access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999
access-list z_to_y extended deny ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0
access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any
access-group z_to_y in interface
I have always used static statements myself for presenting the same addresses to another interface eg.
static (inside,dmz) y.y.y.0 y.y.y.0 netmask 255.255.255.0
Obviously you will need a dynamic nat for going out to the Internet unless of course all your IP's on the dmz and inside are Internet routable.
Jon
12-11-2008 11:20 AM
Jason
access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999
access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any
access-group z_to_y in interface y
If you use this then any machines on dmz z can access any machines on y as long as there is a NAT translation for it.
So add in a deny from all the dmz machines on z to internal network y after the specific permit rule.
access-list z_to_y extended permit tcp z.z.z.0 255.255.255.0 host y.y.y.11 eq 9999
access-list z_to_y extended deny ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0
access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any
access-group z_to_y in interface
I have always used static statements myself for presenting the same addresses to another interface eg.
static (inside,dmz) y.y.y.0 y.y.y.0 netmask 255.255.255.0
Obviously you will need a dynamic nat for going out to the Internet unless of course all your IP's on the dmz and inside are Internet routable.
Jon
12-11-2008 11:47 AM
Jon,
Thanks, I went ahead and tried what you suggested and it is working fine now. It just seemed excessive to me to have to specify deny statements for each internal network and then add the allow any rule, but I guess that is just how it has to be. I don't make firewall changes very often, so it is always difficult for me to get back in the Cisco mindset.
Thanks,
--
Jason
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: