Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list and alias in PIX firewall

Hi,

I need an advice regarding access-list used altogether with alias command.

There are two hosts: host A in internal segment - real IP is 10.1.1.2 and host B in DMZ segment - real IP is 172.16.1.3. Both alias and static commands are being used here:

alias (internal) 10.1.1.3 172.16.1.3 255.255.255.255

static (internal,dmz) 172.16.1.2 10.1.1.2 netmask 255.255.255.255

The reasons are DNS record for host B must be from 10.0.0.0 network and no route information about internal network should be published in DMZ (even static route).

I want to use access-list to permit the traffic between A and B and implement it in both internal and dmz interface. But I'm not very clear, should I use alias address or real address?

Going back to the example above, should I use:

access-list dmz permit ip host 172.16.1.3 host 172.16.1.2

or

access-list dmz permit ip host 10.1.1.3 host 172.16.1.2

or both statement?

and how about the access-list inside command?

Another question regarding access-list in PIX

if I use access list in one side, do I need to create mirrored access list in the other side for the return packet?

Thank you so much.

Raymond.

3 REPLIES
Bronze

Re: Access-list and alias in PIX firewall

This is what I have understood from your description: You have a network setup as drawn below and you want to allow Host A to access your web server (Host B) on your DMZ. Further, the DNS server is located on the outside.

internet

|

|

|------------------------DNS server

|

|(OUTSIDE)

|

PIX -------------------------HOST B (Web Server www.abc.com; IP 172.16.1.3)

| (DMZ)

|

|(INSIDE)

|

|

|

|

HOST A (IP 10.1.1.2)

If what I have understood is right, then it is possible that the present configuration is wrong. Lets see why! Lets assume that your web server's (Host B) global address is a.b.c.d and that the url is www.abc.com. A dns request from the outside (Internet) to the DNS for www.abc.com, will return the IP a.b.c.d. The external host can now access your web server (Host B) with this IP. If someone sitting on the inside (Host A) makes the same DNS request, the IP returned by the DNS server will be the same IP a.b.c.d. This is where the problem comes. No translation exists for this address between the inside and DMZ. This is precisely why the alias command is configured. By configuring the following alias command, the IP address a.b.c.d returned by the DNS server, will be replaced by 172.16.1.3. Thus the Host A on the inside will learn that server www.abc.com is accessible at ip 172.16.1.3.

alias (inside) 172.16.1.3 a.b.c.d 255.255.255.255

More information on alias command is available at the URL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

With this setup, the userA on the inside interface (security level 100) will have access to all resources (Server) on the DMZ (security level 50). Remember, with the most basic configuration in place (IP addresses, route and nat) connections initiated from an interface at a higher security level to a lower security level interface are allowed by default. Thus if the user on the inside (Host A) sends a http request to the server on the DMZ (Host B), the request is allowed through and all traffic sent in response by the server is allowed through to the Host A.

To allow traffic belonging to sessions initiated by HostB (lower security level) to reach Host A (Higher security level), use the access list or conduit permit statement. This access list must use internal/private addresses only, ie 10.1.1.2 and 172.16.1.3 in our example. In addition, Host A must be statically natted or natting should be disabled between Inside and DMZ for this address.

For more information on configuring the PIX firewall (Basic Commands), visit the following URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb0b0.html

New Member

Re: Access-list and alias in PIX firewall

Your network diagram is correct only that the DNS server is located in inside interface. It's purpose is to serve internal users only and not accessible from the outside. When host A in inside network makes DNS request for host B, DNS server will return with IP address 10.1.1.3 for host B. Host A will now send packets with dest. address 10.1.1.3. When they come to PIX, they'll be natted into 172.16.1.3 (by alias command).

To avoid using static route in host B, static command is needed:

static (internal,dmz) 172.16.1.2 10.1.1.2 netmask 255.255.255.255

So host B 'think' that host A has IP address 172.16.1.2. PIX will then translate the dest. address in return packet from 172.16.1.2 to 10.1.1.2.

Now my problem is should I use the real address or the translated address if I want to implement access-list in both diurection?

I tried to search the documentation and technical notes but couldn't find a definite answer.

New Member

Re: Access-list and alias in PIX firewall

For the access-list on the dmz you should have

acess-list xx permit xxx host 172.16.1.2 host 172.16.1.3

you do not require any access-list for the return traffic as it is part of the same session.

on the inside by default you would not require an access-list to permit traffic to the dmz server as the comm is froma higher level to a lower security level. But if you have to be restrictive and define only particular type of traffic then use

access-list xx permit xxx host 10.1.1.3 10.1.1.0 255.255.255.0

Hope this helps

163
Views
0
Helpful
3
Replies
CreatePlease to create content