Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

robert6755 · ‎01-11-2008

Is this a bug or am I missing a rule policy? When I add in ACLs rules to restrict access from DMZ to INSIDE... all outbound traffic via OUTSIDE interface is blocked! Rules work fine for DMZ to INSIDE. IF I put back any any access all is OK again.

ACCESS but virtualy shuts down my firewall.

JORGE RODRIGUEZ · ‎01-11-2008

Robert, from low security level to high security level access is already restricted, so to allow traffic from DMZ to inside then you permit the access to inside via acl.. so something is not quite right with the acl you are working with that would block outbound connection via outside interface or causing a complete firewall shut.. what version of pix are you running..

Rgds

Jorge

Jorge Rodriguez

robert6755 · ‎01-12-2008

Jorge

Ver 7.05.

The 4 rules are nothing fancy.

Ex. access-list dmz-to-inside extended permit tcp host serverA any eq 1433.

But it does virtually shut down the firewall.

robert6755 · ‎01-12-2008

Jorge another thing...

I am using NAT on the INSIDE network.

Do I need to add in explicit static routes out?

JORGE RODRIGUEZ · ‎01-12-2008

Robert,from what you are discribing that virtually shuts down firewall while making changes , this most definately indicates software problems, I would recommend you to query the bug tools resource database on your version of code at http://www.cisco.com/en/US/support/index.html

As for your other question on "NAT inside ad explicit static routes out?" if I understand correctly you mean outbound traffic to internet? if so yes, you need to define a default route, in other words there must either exist a default route by staic means or default route injected by a routing protocol, but the most common scenarion would be a static default route.

e.g

The default route nat inside and global outside example would be somthing like this for your inside host to get outbound traffic.

route outside 0.0.0.0 0.0.0.0 1

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside ) 1 interface

Rgds

Jorge

Jorge Rodriguez

acomiskey · ‎01-12-2008

I'm sure what you did was forget that there is an explicit deny ip any any at the end of your acl. What you need to do is permit the traffic from the dmz to inside, deny all other traffic from dmz to inside, then permit ip any any. This will allow the dmz to get to the outside. For instance...

access-list dmz-to-inside extended permit tcp host serverA any eq 1433

access-list dmz-to-inside extended permit tcp host serverB any eq 1433

access-list dmz-to-inside deny ip

access-list dmz-to-inside permit ip any any

robert6755 · ‎01-16-2008

Acomiskey

What you suggest led to the solution although with some modification. The deny statements had to be specific for the servers on the Inside. I did this by creating a network object-group and put a rule in to deny access to the group.

If I used "any any" then all access outbound, dmz and inside, was shutdown.

Example:

object-group network db_servers

access-list dmz-to-inside extended permit tcp host serverA any eq 1433

access-list dmz-to-inside extended permit tcp host serverB any eq 1433

access-list dmz-to-inside extended deny ip any object-group db_servers

access-list dmz-to-inside permit ip any any

Thanks for pointing me in the right direction.

robert6755 · ‎01-16-2008

Resolved by modifying deny statement

Last post was the solution.