10-21-2005 01:06 AM - edited 03-09-2019 12:47 PM
Hello, All
I have a Cisco PIX Firewall 525(UR, FO) Model Version 6.3(4).
Outside Security-level ===> 0
DMZ Security-level ===> 50
Inside Security-level ===> 100
I known a PIX Firewall Concept.
High Security-level ----> Low Security-level ; Default(Implicit Aggreement)
Low Security-level ----> High Security-level ; Security Policy(ACL)
Inside --- Default(Implicit Aggreement) ---> Outside
Inside --- Default(Implicit Aggreement) ---> DMZ
Outside --- Security Policy ---> Inside
Outside --- Security Policy ---> DMZ
DMZ --- Security Policy ---> Inside
Is not Implicit Aggreement must ACL Configured.
DMZ --- Security Policy ---> Outside
Why???
Thanks.
10-21-2005 02:52 AM
Hi you are right the implicit allow works incase if we are going from high security to low security. How ever if you have configured and access-list on the dmz to allow traffic to the inside interface then it takes precedence the implicit allow to outside will be denied. So what I suggest in these cases for dmz allow the traffic that you want to the inside interface, then block all the rest of the traffic to the inside and permit every thing else so the the internet traffic can move smoothly.
e.g.
we have a 10.10.x.x. network on the inside and 172.16.x.x network on the dmz then I would do this.
access-list test permit ip 172.16.x.x 255.255.x.x host 10.10.x.x
etc..
access-list test deny ip any 10.10.0.0 255.255.0.0
access-list test permit ip any any
so the second last line denies all the traffic for inside except for the ones that we want. and the last line permits all the rest of the traffic to the internet.
Or you can also control the traffic to inside network via translation rules as well
Thanks
Arun Singh
10-24-2005 01:03 AM
The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network.
But Cisco PIX are Not. Why???
10-24-2005 06:34 AM
Not entirely correct. A DMZ is a 'grey area' - not completely trusted, even though you are hosting it.
It makes sense that you have to configure on the DMZ interface what connections you want from the outside world, since it's your servers that could be compromised.
Likewise, it also makes sense that by default conections from inside (trusted) to the DMZ are allowed, but that connections from the DMZ (less trustworthy)to inside are not.
In reality, I would also limit the connections from the DMZ to the outside and also explicitly define what access was required from the inside to DMZ.
That stops compromised hosts sending out data you don't want them to or initiating attacks.
I think that a firewall should be paranoid by default, before being configured (deny all incoming connections, but allow all outgoing).
The PIX security level command seems to do a good job of this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide