02-18-2007 02:26 PM - edited 03-11-2019 02:35 AM
It seems to me that an ACL wipes out the need for the security levels. Take a configuration of outside,dmz,inside interfaces. In the dmz there is a mail server that needs to talk smtp to all servers on the internet. So you create an acl allowing it to do so and apply it inbound to the dmz interface. Now, say you create a static for an inside server into the dmz interface because you want the dmz server to be able to ftp to the inside server. Doesn't the acl you applied to the dmz interface allow you to try and hit the ftp inside server on port 25? Is it normal to have to follow these "allow to any" ACEs with denys to all internal servers that have translations into the dmz?
02-18-2007 11:02 PM
Hi
By default on the pix traffic will flow from a higher security interface to a lower without an ACL (note the FWSM on a 6500 behaves differently). So you shouldn't need an access-list to allow your mail server to talk to the Internet just a static translation presenting it to the outside.
However if you then need to have the mail server ftp to a server inside then you do need an acl.
As soon as you apply that acl then you need a permit statement in there for your mail server to get to the Internet. And as you can't list all of the possible mail servers then you need a permit mail-server to any.
So yes you would need to deny the mail server to the rest of your internal network. Hopefully your internal network is easily summarised ?
so
permit tcp host mail-server host Internal-ftp-server eq 21
deny ip host mail-server internal-net subnet-mask
permit ip any any
From a security point of view you probably wouldn't want to allow your mail-server to ftp into your internal network though. Generally speaking if you can no connections should be intiated from the DMZ to the inside but this is easier said than done :-)
Jon
02-19-2007 03:38 AM
tmarlow,
That is because Pix is a stupid firewall. It
is nothing but a NAT device. Think about it,
are there any security devices that you know
of will tolerate this type of behavior, that
high security level interface, by default,
can implicitly communicate with low level
security interface, unless explicitly dennied.
It's plainly stupid. Let say you have
server on the inside that is infected with
viruses and trojans software. As soon as you
put in the pix and set up NAT or PAT or worse
yet, nothing, than that box can attack other
hosts on your own networks. How insane can
that be?
Checkpoint or Juniper firewalls do not
tolerate this type of behavior. They are
by nature, implicitly dennied, unless
explicitly allowed.
my 2c
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide