Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
1
Helpful
2
Replies

Another pix ACL ??

tmarlow
Level 1
Level 1

‎02-18-2007 02:26 PM - edited ‎03-11-2019 02:35 AM

It seems to me that an ACL wipes out the need for the security levels. Take a configuration of outside,dmz,inside interfaces. In the dmz there is a mail server that needs to talk smtp to all servers on the internet. So you create an acl allowing it to do so and apply it inbound to the dmz interface. Now, say you create a static for an inside server into the dmz interface because you want the dmz server to be able to ftp to the inside server. Doesn't the acl you applied to the dmz interface allow you to try and hit the ftp inside server on port 25? Is it normal to have to follow these "allow to any" ACEs with denys to all internal servers that have translations into the dmz?

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎02-18-2007 11:02 PM

Hi

By default on the pix traffic will flow from a higher security interface to a lower without an ACL (note the FWSM on a 6500 behaves differently). So you shouldn't need an access-list to allow your mail server to talk to the Internet just a static translation presenting it to the outside.

However if you then need to have the mail server ftp to a server inside then you do need an acl.

As soon as you apply that acl then you need a permit statement in there for your mail server to get to the Internet. And as you can't list all of the possible mail servers then you need a permit mail-server to any.

So yes you would need to deny the mail server to the rest of your internal network. Hopefully your internal network is easily summarised ?

so

permit tcp host mail-server host Internal-ftp-server eq 21

deny ip host mail-server internal-net subnet-mask

permit ip any any

From a security point of view you probably wouldn't want to allow your mail-server to ftp into your internal network though. Generally speaking if you can no connections should be intiated from the DMZ to the inside but this is easier said than done :-)

Jon

0 Helpful

daviddtran
Level 1
Level 1
In response to Jon Marshall

‎02-19-2007 03:38 AM

tmarlow,

That is because Pix is a stupid firewall. It

is nothing but a NAT device. Think about it,

are there any security devices that you know

of will tolerate this type of behavior, that

high security level interface, by default,

can implicitly communicate with low level

security interface, unless explicitly dennied.

It's plainly stupid. Let say you have

server on the inside that is infected with

viruses and trojans software. As soon as you

put in the pix and set up NAT or PAT or worse

yet, nothing, than that box can attack other

hosts on your own networks. How insane can

that be?

Checkpoint or Juniper firewalls do not

tolerate this type of behavior. They are

by nature, implicitly dennied, unless

explicitly allowed.

my 2c

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card