I am doing the unthinkable, opening up the ports from my DMZ to inside interface to allow active directory communication. I just wanted to check the syntax of what I am doing before I do it.
According to PIX docs if I do this:
'access-list dmz_inside permit tcp any any eq 389' and apply it to the DMZ intf, then any tcp traffic on tcp 389 originating from any host on the DMZ will be able to pass through to the inside interface. What I am having a hard time with, is the syntax to say I only want DMZ host 10.10.0.2 to start a connection through to inside host 192.168.0.6(ie I need the webserver on the DMZ to talk only to the Domain Controller).
I also want need to have SQL server traffic to be able to pass through using the same type of situation as with the domain controller, but I am not sure if the access-list needs to be accompanied by a static statement for each port I open up. It would make sense that I would need a static statement to tell the DMZ host to talk only to the SQL Server or Domain controller, am I on the right path or way of base.
I was looking at my PIX config and realized I dont need to open up the ports on the DMZ interface which ,i was doing(thank god for test networks), but rather palce those access-lists (using access-group) on the inside interface.
So the syntax is:
access-list outside_inside permit tcp host (dmz IP address) host (internal DC or SQL IP) eq (port number)
Could you explain the static syntax you have written? I looks like it is a static to the same IP, should it be:
I assume from what I have learned this will just allow the static route bewteen the DMZ host and the internal DC or SQL host, so I would need a static for each internal host (one for DC and one for SQL server).
I am I still on the right path? Thanks for your help.
IP address of host must be advertise using a static statement to permit traffic from a LOWER interface security to a HIGHER one. By default on pix inside intf security is 100, and outside intf sec is 0. You can set dmz sec parameter in the range 1-99. Also using a routable ip on lower intf is required.
I'm not sure what you wanna do but here's a generic explanation to permit traffic from outside ip host 184.108.40.206 to inside host 220.127.116.11:
1) Advertise your inside host: use a outside routable ip address:
I improperly used 'route' when refering to static, but you got what i was refering to.
If I am allowing traffic from a DMZ to inside intf then I would create and bind access-lists to the DMZ interface or the inside interface? It seems it would be to the inside intf(to allow the SQL server calls from a DMZ host to pass through the higher security intf). Or do I have it backwards? For some reason this was easier when I was only dealing with two intfs not three. And just to make sure--- you can only bind one access-list to an interface correct?
If the initiator of a connection is in dmz, you must apply an access-list on dmz intf. There is no need to add reflexive access-list on the inside intf to permit the traffic to come back from inside host to dmz host. The pix maintains a connection table between hosts and all securty inspection of packet is done by the pix.
You may add as many access-list's as you need and bind all of them to one interface. You may only have one group of acl for each interface. When you'll get familiar w/ pix, you wont make any difference dealing w/ 2, 3...6 interfaces per pixes. You just need a little time for learning and experiencing.
Thanks for the clarification. After reading your post I sat down and really thought about it, I realized the DMZ intf is nothing more then another outside intf and the same theories apply to any intf face that isn't the inside intf. Thanks again for that explanation.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :