Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
0
Helpful
1
Replies

Deny inside to outside, but allow to DMZ

gappold
Level 1
Level 1

‎04-22-2003 11:06 AM - edited ‎03-09-2019 02:59 AM

We have a PIX 515 with 6.2(2). Have an Outside, Inside, and DMZ interface. We need to block specific ip addresses from the outside but not to the DMZ. The DMZ has our web server, but we cannot allow the specific IP address to access the Interent. When I add a rule to deny the ip address on the inside to the outside, it also blocks access to the DMZ.

I also tried a RADIUS server, but this also required a userid to access the DMZ. I want full access to the DMZ from the inside, but authenticated to the outside.

Thanks for your help and consideration.

Labels:
0 Helpful
1 Reply 1

mostiguy
Level 6
Level 6

‎04-22-2003 01:16 PM

Access lists have an implicit deny all at the end of them. If you craft one that only allows the pool of hosts to access only the dmz netblock, you would be in business. It sounds like you have a pool of addresses that need unhindered access as well though, so have a statement that gives them unhindered access.

Example:

192.168.0.0/24 is the dmz. 192.168.1.0/24 can only talk to the dmz. 192.168.2.0/24 can talk to everyone

access-list outbound restrict permit ip 192.168.2.0 255.255.255.0 any

access-list outbound restrict permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-group outbound in interface inside

will allow 192.168.2.0 to talk to everyone, and .192.168.1.0 to only talk to the dmz

0 Helpful
Customers Also Viewed These Support Documents