Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
5
Helpful
7
Replies

dmz to outside access issues

Go to solution
jspringfield
Level 1
Level 1

‎03-16-2007 11:43 AM - edited ‎03-11-2019 02:47 AM

Hello,

I am having a problem where I want to open up access to servers in my DMZ to get outside while not giving the servers access to the inside (except in restricted situations)

for example say I wanted to give full access to a server in the DMZ to reach the outside. I might make the following rule...

static (dmz,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

access-list dmz permit ip any any

access-group in interface dmz

the problem with this is that the ?permit any any? will also grant access to the inside of my network as well. Is there a way to make this work? I?ve been searching for a while and feel I?ve got a good grasp on how this all fits together, but have been unable to find the answer yet.

An example as to why I might want to do this is to have my servers in the DMZ get automatic windows updates. In that case they would need to be able to make connections to Microsoft on their own.

The PIX is Ver6.3(3)

Thank You,

Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎03-16-2007 11:47 AM

You have to write the acl in the proper order. Allow what you want to allow to inside, deny everything else inside, then allow everything else. Make sense?

access-list dmz permit tcp any eq ???

access-list dmz deny ip any

access-list dmz permit ip any any

access-group dmz in interface dmz

View solution in original post

7 Replies 7

Go to solution
acomiskey
Level 10
Level 10

‎03-16-2007 11:47 AM

You have to write the acl in the proper order. Allow what you want to allow to inside, deny everything else inside, then allow everything else. Make sense?

access-list dmz permit tcp any eq ???

access-list dmz deny ip any

access-list dmz permit ip any any

access-group dmz in interface dmz

Go to solution
jspringfield
Level 1
Level 1
In response to acomiskey

‎03-16-2007 11:52 AM

Thanks,

You are right. Funny thing was I just sat back a sec and then drew a picture of what I wanted to do and came up with that answer as well. Thanks for the reply acomiskey.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to jspringfield

‎03-16-2007 11:54 AM

Or, if you wanted to leave the ip any any you could create an acl "out interface inside" with the same process, but I like it better the other way. Now that you've got the concept down, you're good to go. Please rate if it helped.

0 Helpful

Go to solution
jspringfield
Level 1
Level 1
In response to acomiskey

‎03-16-2007 11:58 AM

I was wondering if you could apply access-lists in the outboud direction on pix's. I think your first answer works better because it blocks traffic at the source.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to jspringfield

‎03-16-2007 11:59 AM

Yes, it is absolutely better, just thought it might help explain the concept a little more.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jspringfield

‎03-16-2007 12:02 PM

Hi

The access-list on the DMZ as Adam suggested is the way to go.

For reference Pix v6.x does not support outbound access-lists but pix v7.0 does.

Jon

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to Jon Marshall

‎03-16-2007 12:04 PM

^ oops, thanks jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card