Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACLs

I'm trying to configure some acls on my PIX, and am a bit confused....When I try to configure a rule to allow certain traffic from my DMZ to my inside LAN, it overwrite the implicit rule allowing hosts from my LAN access to the DMZ. I don't get it. I thought that's an implicit rule in the outbound direction. My acl is a rule applied to the inside int in the inbound direction. It seems to trump the implicit rule, which of course allows all return traffic that was initiated from a host on the inside. It seems like there is a catch to only allowing 1 ACL in one direction, but again I thought the implicit rule was an exception, since its direction seems to be an exception due to the fact that it is going in the outbound direction, which is not an option on a PIX acl. So, am I supposed to incorporate the implict outbound rule into my new, custom ACL? If so, how do I write a statement that allows all traffic back in which was initiated from the inside?

thx

Bill

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACLs

let me explain it a bit more ... if you want to connect to an internal host ( i.e inside interface ) from a lower security interface (i.e outside , dmz ) the you have to use a static NAT and also allow that access on the access list applied to the lower interface.

Access from a higher interface ( i.e inside ) to a lower one ( i.e outside ) is allowed by default but you need a combination of NAT and GLOBAL statements so that the packet gets NATed as it goes out to the outisde world .. otherwise the return packet will have no clue how to get back ..

I hope it helps .. please rate it if it does !!!

11 REPLIES

Re: ACLs

Hello Bill,

Im not sure If I undertood it right.

When you state that you have a ACL rule applied to inside interface in the inboud direction, you mean that you did something like.

ACL in

Because inbound traffic on the inside interface would mean outbout traffic from the hosts that are inside this network.

I dont know much about firewall,

but for a router

ip access-group in means: traffic going out

ip access-group out means: traffic coming in

Maybe this is what confusing you,

or maybe I just didnt understand it correctly.

And for ACL that permit traffic that already was permit in 1 direction.

have you ever heard of :

permit tcp any any ESTABLISHED

or reflexive-acl ?

HTH,

if it does, I'd appreciate if you rate this post.

Vlad

New Member

Re: ACLs

In any case, you could have OUT with ACL in PIX interfaces. It's not like routers where you could set the direction of the traffic.

So IN is always used in ACL reagardless the direction

So you could have

access-list UR_ACL permit protocol ur_outside_ip_net ur_inside_ip_net

access-group UR_ACL IN interface inside

Re: ACLs

Hi .. with a PIXes the situation is different. Any traffic from an interface that has higher security level ( inside ) towards a host locted on an interface with lower security level ( outside ) is allowed UNLESS you specify otherwise on an access-list appied to inside interface. If this traffic is initiated from the inside hosts you DON'T need to scpecify any rule for the return traffic ... Now when you want to initiate traffic from a host located on a lower interface ( outside or dmz ) towards a hosts located on a higher interface ( inside ) then that traffic is blocked UNLESS specified otherwise in an access-list applied to the lower interface ..

I hope this makes clear .. let me know if you need further assistance .. haa .. please rate it if it helps ..

New Member

Re: ACLs

Hi, that seems to be just it. The implicit rule that allows traffic from users on a higher security level gets replaced when I try to create an access list on any interface that already has the implict rule being applied.

Example

Inside to the DMZ is an implicit rule that allows all return traffic initiated from the inside allowed back inside from the DMZ.

What's happening is that whenever a create a new inbound rule and apply it to the inside interface, the implicit rule is somehow overwritten, and only the statements in my new rule apply. That's what is really confusing me. To make matters even more confusing, I do have a new rule applied to the outside interface inbound to the DMZ, and all hosts on the DMZ have NO problems getting to the Internet.

What I want to do is allow a host in the DMZ access to a host on the inside using a certain port. Attached is a copy of the config if it helps.

thank you

Re: ACLs

According to your configs the config is no right :

global (outside) 1 interface -> OK

global (inside) 1 interface -> WRONG please delete this entry

global (DMZ) 1 interface -> OK

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 -> OK

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0 -> OK

static (DMZ,outside) x.x.x.x WEB_Server netmask 255.255.255.255 0 0 -> OK

Please add:

static (inside,DMZ) TCP/UDP Port# Port# netmask 2555.255.255.255

where TCP/UDP is the protocol you wan to use

DMZ IP address is te address of teh host located on teh DMZ segment

Port# id the port i.e 80 for http that the host will have access

Inside Ip address is the host located on the inside network which you want access to.

You also need toallow this access witha an access-list applied to DMZ

access-list DMZ-IN permit tcp host x.x.x.x host x.x.x.x eq Port#

access-list DMZ-IN permit tcp any any eq 80 (for Internet access from DMZ hosts )

access-group DMZ-IN in interface dmz

I hope it helps ...please reate if it does !!!

Re: ACLs

please also type clear xlate after the changes ... any current enrty on teh transaltion table will be deleted and recreated accordingly.

New Member

Re: ACLs

Why does the DMZ-IN access-list replace the implicit outbound rule from the DMZ? After creating the access-list I tried getting to the Internet from the DMZ, but could not. I then checked out the PDM access rules tab, and the implicit outbound rule had been overwritten. I just can't understand why that rule is being overwritten. If you use the PDM to create a rule, and try editing that default rule, it says you cannot, but if I create another rule and apply it to the interface it replaces it.

New Member

Re: ACLs

I think I understand it now. It's by design that as soon as an ACL is placed in the inbound direction, the implicit rule is negated. There's a pretty good excerpt about access lists in the following link

http://www.cianet.com.au/home2.nsf/pages/ciscopix

New Member

Re: ACLs

So do I understand correctly that the security of the PIX lies equally in NAT as it does in access lists? The statement

access-list DMZ-IN permit tcp any any eq 80 (for Internet access from DMZ hosts )

says all http access from the outside is allowed in, if, big if, it is initiated from the inside? That statement does not allow hosts on a lower security level, the outside, to initiate an http connection with a host on the DMZ, right? In part I assume since there is not NAT from outside to inside, that's what the static command is for?

Re: ACLs

let me explain it a bit more ... if you want to connect to an internal host ( i.e inside interface ) from a lower security interface (i.e outside , dmz ) the you have to use a static NAT and also allow that access on the access list applied to the lower interface.

Access from a higher interface ( i.e inside ) to a lower one ( i.e outside ) is allowed by default but you need a combination of NAT and GLOBAL statements so that the packet gets NATed as it goes out to the outisde world .. otherwise the return packet will have no clue how to get back ..

I hope it helps .. please rate it if it does !!!

Re: ACLs

This seems to explain some of the anomolies I have been seeing, I have both a PIX 535 and a catalyst 6503 with a FWSM. Whats your take on allowing traffic into the DMZ ? I was told that you should let all in and filter the output traffic, and in the PDM manual it says filter coming in and let the rest out. I have usually 4 rules per filter type, maybe this is an ober kill but it seemed like it was req'd.

220
Views
4
Helpful
11
Replies
CreatePlease to create content