Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Is this a bug or am I missing a rule policy? When I add in ACLs rules to restrict access from DMZ to INSIDE... all outbound traffic via OUTSIDE interface is blocked! Rules work fine for DMZ to INSIDE. IF I put back any any access all is OK again.

ACCESS but virtualy shuts down my firewall.

7 REPLIES

Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Robert, from low security level to high security level access is already restricted, so to allow traffic from DMZ to inside then you permit the access to inside via acl.. so something is not quite right with the acl you are working with that would block outbound connection via outside interface or causing a complete firewall shut.. what version of pix are you running..

Rgds

Jorge

New Member

Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Jorge

Ver 7.05.

The 4 rules are nothing fancy.

Ex. access-list dmz-to-inside extended permit tcp host serverA any eq 1433.

But it does virtually shut down the firewall.

New Member

Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Jorge another thing...

I am using NAT on the INSIDE network.

Do I need to add in explicit static routes out?

Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Robert,from what you are discribing that virtually shuts down firewall while making changes , this most definately indicates software problems, I would recommend you to query the bug tools resource database on your version of code at http://www.cisco.com/en/US/support/index.html

As for your other question on "NAT inside ad explicit static routes out?" if I understand correctly you mean outbound traffic to internet? if so yes, you need to define a default route, in other words there must either exist a default route by staic means or default route injected by a routing protocol, but the most common scenarion would be a static default route.

e.g

The default route nat inside and global outside example would be somthing like this for your inside host to get outbound traffic.

route outside 0.0.0.0 0.0.0.0 1

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside ) 1 interface

Rgds

Jorge

Green

Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

I'm sure what you did was forget that there is an explicit deny ip any any at the end of your acl. What you need to do is permit the traffic from the dmz to inside, deny all other traffic from dmz to inside, then permit ip any any. This will allow the dmz to get to the outside. For instance...

access-list dmz-to-inside extended permit tcp host serverA any eq 1433

access-list dmz-to-inside extended permit tcp host serverB any eq 1433

access-list dmz-to-inside deny ip

access-list dmz-to-inside permit ip any any

New Member

Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Acomiskey

What you suggest led to the solution although with some modification. The deny statements had to be specific for the servers on the Inside. I did this by creating a network object-group and put a rule in to deny access to the group.

If I used "any any" then all access outbound, dmz and inside, was shutdown.

Example:

object-group network db_servers

access-list dmz-to-inside extended permit tcp host serverA any eq 1433

access-list dmz-to-inside extended permit tcp host serverB any eq 1433

access-list dmz-to-inside extended deny ip any object-group db_servers

access-list dmz-to-inside permit ip any any

Thanks for pointing me in the right direction.

New Member

Re: PIX: DMZ to INSIDE ACL rule(s) blocks outbound traffic

Resolved by modifying deny statement

Last post was the solution.

284
Views
0
Helpful
7
Replies