Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

dmz to outside access issues

Hello,

I am having a problem where I want to open up access to servers in my DMZ to get outside while not giving the servers access to the inside (except in restricted situations)

for example say I wanted to give full access to a server in the DMZ to reach the outside. I might make the following rule...

static (dmz,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

access-list dmz permit ip any any

access-group in interface dmz

the problem with this is that the ?permit any any? will also grant access to the inside of my network as well. Is there a way to make this work? I?ve been searching for a while and feel I?ve got a good grasp on how this all fits together, but have been unable to find the answer yet.

An example as to why I might want to do this is to have my servers in the DMZ get automatic windows updates. In that case they would need to be able to make connections to Microsoft on their own.

The PIX is Ver6.3(3)

Thank You,

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: dmz to outside access issues

You have to write the acl in the proper order. Allow what you want to allow to inside, deny everything else inside, then allow everything else. Make sense?

access-list dmz permit tcp any eq ???

access-list dmz deny ip any

access-list dmz permit ip any any

access-group dmz in interface dmz

7 REPLIES
Green

Re: dmz to outside access issues

You have to write the acl in the proper order. Allow what you want to allow to inside, deny everything else inside, then allow everything else. Make sense?

access-list dmz permit tcp any eq ???

access-list dmz deny ip any

access-list dmz permit ip any any

access-group dmz in interface dmz

New Member

Re: dmz to outside access issues

Thanks,

You are right. Funny thing was I just sat back a sec and then drew a picture of what I wanted to do and came up with that answer as well. Thanks for the reply acomiskey.

Green

Re: dmz to outside access issues

Or, if you wanted to leave the ip any any you could create an acl "out interface inside" with the same process, but I like it better the other way. Now that you've got the concept down, you're good to go. Please rate if it helped.

New Member

Re: dmz to outside access issues

I was wondering if you could apply access-lists in the outboud direction on pix's. I think your first answer works better because it blocks traffic at the source.

Green

Re: dmz to outside access issues

Yes, it is absolutely better, just thought it might help explain the concept a little more.

Hall of Fame Super Blue

Re: dmz to outside access issues

Hi

The access-list on the DMZ as Adam suggested is the way to go.

For reference Pix v6.x does not support outbound access-lists but pix v7.0 does.

Jon

Green

Re: dmz to outside access issues

^ oops, thanks jon

158
Views
5
Helpful
7
Replies
CreatePlease to create content