ACL: Limit DMZ to Inside while allowing all DMZ to Internet?

chrisdixon · ‎07-09-2003

I need to limit access from the DMZ to a resticted list of IPs/Ports on the inside n/w, but the DMZ machines must also be able to connect to the Internet (i.e. unknown IPs).

(I have disabled NAT between DMZ and Inside)

If I apply an access list to the DMZ like this:

"access-list acl_dmz permit tcp host dmz_server host inside_server eq smtp

access-group acl_dmz in interface dmz "

Then outbound Internet access from the DMZ is blocked by the implict 'deny all'.

How do I design an access list for the DMZ that will limit access from DMZ to inside while allowing full access to Internet.

What I need is somethng like:

permit DMZ n/w to NOT(Inside n/w, DMZ n/w)

permit DMZ to limted inside hosts

deny all

Is this possible?

Thanks in advance for any advice....

mostiguy · ‎07-09-2003

allow what you want to inside, then deny from DMZ to inside, then permit everything. Assume dmz netblock is 172.16.0.0/24, and inside is 192.168.0.0/16

access-list acl_dmz permit tcp host dmz_server host inside_server eq smtp

etc,etc.

then.

access-list acl_dmz deny ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list acl_dmz permit ip 172.16.0.0 255.255.255.0 any

Because of first match, this works - anything from dmz to inside that is permitted catches on the permissive rules, anything that isn't gets blocked by the deny rule that applies from the dmz netblock to the inside netblock(s), finally, the permit ip any any rule allows all out, but to get to that rule, the destination cannot have been in the deny rule's destination block

tbissett · ‎07-09-2003

I do the same thing on our firewalls. Basically, you will need to organize the access-list starting with INSIDE destinations first, then the stuff that needs to go on the Internet. For example, let's say you have defined two statics from the inside to the DMZ:

static (inside,dmz) internal_dns internal_dns

static (inside,dmz) internal_mail internal_mail

Here's how the access-list should look

access-list dmz permit udp host dmz_dns host internal_dns eq domain

access-list dmz deny ip any host internal_dns

access-list dmz permit tcp host dmz_mail host internal_mail eq smtp

access-list dmz deny ip any host internal_mail

access-list dmz permit udp host dmz_dns any eq domain

access-list dmz permit tcp host dmz_mail any eq smtp

It is very important to put the lines with a destination of "any" AFTER the lines that go to a specific hosts. It is also important to have the "deny ip" statements in there before the lines that permit traffic to go anywhere. Using the same two statics above, let's say you just put a statement that permitted dns to any destination. Because you have two statics, that permit statement would allow dns queries to go to both internal_dns and internal_mail (which you obviously wouldn't want). This is a very common mistake that PIX admins make when configuring their firewalls.

chrisdixon · ‎07-10-2003

Thanks for the suggestions, both approaches look like they will solve my problem.

This would be a lot simpler to achieve on the PIX if ACLs had a 'NOT' operator (as in FW-1), i.e. access-list dmz permit ip dmz_network NOT(inside networks)

mostiguy · ‎07-10-2003

Well, with object-groups (a pix os 6.2 feature) you can clear up configurations considerablty, by classifying together discontiguous entities, but there is not an exact "not" construct