Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Elementary access-list question

I am doing the unthinkable, opening up the ports from my DMZ to inside interface to allow active directory communication. I just wanted to check the syntax of what I am doing before I do it.

According to PIX docs if I do this:

'access-list dmz_inside permit tcp any any eq 389' and apply it to the DMZ intf, then any tcp traffic on tcp 389 originating from any host on the DMZ will be able to pass through to the inside interface. What I am having a hard time with, is the syntax to say I only want DMZ host 10.10.0.2 to start a connection through to inside host 192.168.0.6(ie I need the webserver on the DMZ to talk only to the Domain Controller).

I also want need to have SQL server traffic to be able to pass through using the same type of situation as with the domain controller, but I am not sure if the access-list needs to be accompanied by a static statement for each port I open up. It would make sense that I would need a static statement to tell the DMZ host to talk only to the SQL Server or Domain controller, am I on the right path or way of base.

As always thanks in advance.

Marc

6 REPLIES
New Member

Re: Elementary access-list question

Hi Marc,

The access-list you'll need will look like this:

"access-list dmz_inside permit tcp host 10.10.0.2 host 192.168.0.6 eq 389"

and remove

'access-list dmz_inside permit tcp any any eq 389'

All traffic must be explicitly specified to pass from an interface to another.

See link below:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755

For the static statement, since you need many tcp ports to be opened for the same inside host, I would recommand to use this:

static (inside, dmz) 192.168.0.6 192.168.0.6 netmask 255.255.255.255 0 0

See also link below:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Mike

New Member

Re: Elementary access-list question

I was looking at my PIX config and realized I dont need to open up the ports on the DMZ interface which ,i was doing(thank god for test networks), but rather palce those access-lists (using access-group) on the inside interface.

So the syntax is:

access-list outside_inside permit tcp host (dmz IP address) host (internal DC or SQL IP) eq (port number)

Could you explain the static syntax you have written? I looks like it is a static to the same IP, should it be:

static (inside,dmz) 10.10.0.2 192.168.06 netmask 255.255.255.255 0 0

I assume from what I have learned this will just allow the static route bewteen the DMZ host and the internal DC or SQL host, so I would need a static for each internal host (one for DC and one for SQL server).

I am I still on the right path? Thanks for your help.

Cheers,

Marc

New Member

Re: Elementary access-list question

Hello Mark,

A static statement will not route traffic.

IP address of host must be advertise using a static statement to permit traffic from a LOWER interface security to a HIGHER one. By default on pix inside intf security is 100, and outside intf sec is 0. You can set dmz sec parameter in the range 1-99. Also using a routable ip on lower intf is required.

I'm not sure what you wanna do but here's a generic explanation to permit traffic from outside ip host 2.2.2.2 to inside host 1.1.1.1:

1) Advertise your inside host: use a outside routable ip address:

Static (inside, outside) 1.1.1.1 2.1.1.1 netmask ...

2)Permit traffic using the ADVERTISED IP:

Access-list outside_access permit tcp host 2.2.2.2 host 2.1.1.1 eq tcp/port

3)Bind outside access-list's on the outside intf:

Access-group outside_access in interface outside

Should do the trick.

You must use a static statement for each inside hosts on witch you want to permit traffic.

Try 'show xlate' and 'clear xlate' (use w/ precaution) commands to debug.

Mike

New Member

Re: Elementary access-list question

Mike,

Thanks for the insight!

I improperly used 'route' when refering to static, but you got what i was refering to.

If I am allowing traffic from a DMZ to inside intf then I would create and bind access-lists to the DMZ interface or the inside interface? It seems it would be to the inside intf(to allow the SQL server calls from a DMZ host to pass through the higher security intf). Or do I have it backwards? For some reason this was easier when I was only dealing with two intfs not three. And just to make sure--- you can only bind one access-list to an interface correct?

Thanks again.

Cheers,

Marc

New Member

Re: Elementary access-list question

Hi Marc,

If the initiator of a connection is in dmz, you must apply an access-list on dmz intf. There is no need to add reflexive access-list on the inside intf to permit the traffic to come back from inside host to dmz host. The pix maintains a connection table between hosts and all securty inspection of packet is done by the pix.

You may add as many access-list's as you need and bind all of them to one interface. You may only have one group of acl for each interface. When you'll get familiar w/ pix, you wont make any difference dealing w/ 2, 3...6 interfaces per pixes. You just need a little time for learning and experiencing.

Mike

New Member

Re: Elementary access-list question

Mike,

Thanks for the clarification. After reading your post I sat down and really thought about it, I realized the DMZ intf is nothing more then another outside intf and the same theories apply to any intf face that isn't the inside intf. Thanks again for that explanation.

Cheers,

Marc

103
Views
0
Helpful
6
Replies
CreatePlease login to create content