03-16-2007 11:43 AM - edited 03-11-2019 02:47 AM
Hello,
I am having a problem where I want to open up access to servers in my DMZ to get outside while not giving the servers access to the inside (except in restricted situations)
for example say I wanted to give full access to a server in the DMZ to reach the outside. I might make the following rule...
static (dmz,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
access-list dmz permit ip any any
access-group in interface dmz
the problem with this is that the ?permit any any? will also grant access to the inside of my network as well. Is there a way to make this work? I?ve been searching for a while and feel I?ve got a good grasp on how this all fits together, but have been unable to find the answer yet.
An example as to why I might want to do this is to have my servers in the DMZ get automatic windows updates. In that case they would need to be able to make connections to Microsoft on their own.
The PIX is Ver6.3(3)
Thank You,
Jeff
Solved! Go to Solution.
03-16-2007 11:47 AM
You have to write the acl in the proper order. Allow what you want to allow to inside, deny everything else inside, then allow everything else. Make sense?
access-list dmz permit tcp any
access-list dmz deny ip any
access-list dmz permit ip any any
access-group dmz in interface dmz
03-16-2007 11:47 AM
You have to write the acl in the proper order. Allow what you want to allow to inside, deny everything else inside, then allow everything else. Make sense?
access-list dmz permit tcp any
access-list dmz deny ip any
access-list dmz permit ip any any
access-group dmz in interface dmz
03-16-2007 11:52 AM
Thanks,
You are right. Funny thing was I just sat back a sec and then drew a picture of what I wanted to do and came up with that answer as well. Thanks for the reply acomiskey.
03-16-2007 11:54 AM
Or, if you wanted to leave the ip any any you could create an acl "out interface inside" with the same process, but I like it better the other way. Now that you've got the concept down, you're good to go. Please rate if it helped.
03-16-2007 11:58 AM
I was wondering if you could apply access-lists in the outboud direction on pix's. I think your first answer works better because it blocks traffic at the source.
03-16-2007 11:59 AM
Yes, it is absolutely better, just thought it might help explain the concept a little more.
03-16-2007 12:02 PM
Hi
The access-list on the DMZ as Adam suggested is the way to go.
For reference Pix v6.x does not support outbound access-lists but pix v7.0 does.
Jon
03-16-2007 12:04 PM
^ oops, thanks jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: