01-11-2008 01:50 PM - edited 03-11-2019 04:46 AM
Is this a bug or am I missing a rule policy? When I add in ACLs rules to restrict access from DMZ to INSIDE... all outbound traffic via OUTSIDE interface is blocked! Rules work fine for DMZ to INSIDE. IF I put back any any access all is OK again.
ACCESS but virtualy shuts down my firewall.
01-11-2008 03:09 PM
Robert, from low security level to high security level access is already restricted, so to allow traffic from DMZ to inside then you permit the access to inside via acl.. so something is not quite right with the acl you are working with that would block outbound connection via outside interface or causing a complete firewall shut.. what version of pix are you running..
Rgds
Jorge
01-12-2008 06:50 AM
Jorge
Ver 7.05.
The 4 rules are nothing fancy.
Ex. access-list dmz-to-inside extended permit tcp host serverA any eq 1433.
But it does virtually shut down the firewall.
01-12-2008 06:54 AM
Jorge another thing...
I am using NAT on the INSIDE network.
Do I need to add in explicit static routes out?
01-12-2008 08:56 AM
Robert,from what you are discribing that virtually shuts down firewall while making changes , this most definately indicates software problems, I would recommend you to query the bug tools resource database on your version of code at http://www.cisco.com/en/US/support/index.html
As for your other question on "NAT inside ad explicit static routes out?" if I understand correctly you mean outbound traffic to internet? if so yes, you need to define a default route, in other words there must either exist a default route by staic means or default route injected by a routing protocol, but the most common scenarion would be a static default route.
e.g
The default route nat inside and global outside example would be somthing like this for your inside host to get outbound traffic.
route outside 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside ) 1 interface
Rgds
Jorge
01-12-2008 11:35 AM
I'm sure what you did was forget that there is an explicit deny ip any any at the end of your acl. What you need to do is permit the traffic from the dmz to inside, deny all other traffic from dmz to inside, then permit ip any any. This will allow the dmz to get to the outside. For instance...
access-list dmz-to-inside extended permit tcp host serverA any eq 1433
access-list dmz-to-inside extended permit tcp host serverB any eq 1433
access-list dmz-to-inside deny ip
access-list dmz-to-inside permit ip any any
01-16-2008 06:24 AM
Acomiskey
What you suggest led to the solution although with some modification. The deny statements had to be specific for the servers on the Inside. I did this by creating a network object-group and put a rule in to deny access to the group.
If I used "any any" then all access outbound, dmz and inside, was shutdown.
Example:
object-group network db_servers
access-list dmz-to-inside extended permit tcp host serverA any eq 1433
access-list dmz-to-inside extended permit tcp host serverB any eq 1433
access-list dmz-to-inside extended deny ip any object-group db_servers
access-list dmz-to-inside permit ip any any
Thanks for pointing me in the right direction.
01-16-2008 06:26 AM
Resolved by modifying deny statement
Last post was the solution.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: