Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
3
Replies

DMZ ---> Outside Access Issue

yjhyun
Level 1
Level 1

‎10-21-2005 01:06 AM - edited ‎03-09-2019 12:47 PM

Hello, All

I have a Cisco PIX Firewall 525(UR, FO) Model Version 6.3(4).

Outside Security-level ===> 0

DMZ Security-level ===> 50

Inside Security-level ===> 100

I known a PIX Firewall Concept.

High Security-level ----> Low Security-level ; Default(Implicit Aggreement)

Low Security-level ----> High Security-level ; Security Policy(ACL)

Inside --- Default(Implicit Aggreement) ---> Outside

Inside --- Default(Implicit Aggreement) ---> DMZ

Outside --- Security Policy ---> Inside

Outside --- Security Policy ---> DMZ

DMZ --- Security Policy ---> Inside

Is not Implicit Aggreement must ACL Configured.

DMZ --- Security Policy ---> Outside

Why???

Thanks.

Labels:
0 Helpful
3 Replies 3

arunsing
Level 1
Level 1

‎10-21-2005 02:52 AM

Hi you are right the implicit allow works incase if we are going from high security to low security. How ever if you have configured and access-list on the dmz to allow traffic to the inside interface then it takes precedence the implicit allow to outside will be denied. So what I suggest in these cases for dmz allow the traffic that you want to the inside interface, then block all the rest of the traffic to the inside and permit every thing else so the the internet traffic can move smoothly.

e.g.

we have a 10.10.x.x. network on the inside and 172.16.x.x network on the dmz then I would do this.

access-list test permit ip 172.16.x.x 255.255.x.x host 10.10.x.x

etc..

access-list test deny ip any 10.10.0.0 255.255.0.0

access-list test permit ip any any

so the second last line denies all the traffic for inside except for the ones that we want. and the last line permits all the rest of the traffic to the internet.

Or you can also control the traffic to inside network via translation rules as well

Thanks

Arun Singh

0 Helpful

yjhyun
Level 1
Level 1
In response to arunsing

‎10-24-2005 01:03 AM

The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network.

But Cisco PIX are Not. Why???

0 Helpful

ddarby1
Level 1
Level 1
In response to yjhyun

‎10-24-2005 06:34 AM

Not entirely correct. A DMZ is a 'grey area' - not completely trusted, even though you are hosting it.

It makes sense that you have to configure on the DMZ interface what connections you want from the outside world, since it's your servers that could be compromised.

Likewise, it also makes sense that by default conections from inside (trusted) to the DMZ are allowed, but that connections from the DMZ (less trustworthy)to inside are not.

In reality, I would also limit the connections from the DMZ to the outside and also explicitly define what access was required from the inside to DMZ.

That stops compromised hosts sending out data you don't want them to or initiating attacks.

I think that a firewall should be paranoid by default, before being configured (deny all incoming connections, but allow all outgoing).

The PIX security level command seems to do a good job of this.

0 Helpful
Customers Also Viewed These Support Documents