cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
6
Replies

Only Allow DMZ Host to access specific IPs on the outside

stownsend
Level 2
Level 2

I'm trying to secure some of my DMZ hosts and was thinkging that the Web/FTP server does not need to originate any communications with the outside world, they are only there to give info when spoken to.

Though I'd like them to be able to start a conversation with a few of our local outside hosts. I'd like to set up the PIX 515 so the hosts can only communicate with a specific subnet on the outside.

I have communications from the DMZ to the inside and from Inside to DMZ.

Thanks,

Scott<-

6 Replies 6

gfullage
Cisco Employee
Cisco Employee

Just add an ACL inbound on the DMZ interface (actually if you say you already have access from the DMZ to inside then you must already have an ACL on your DMZ). Let's assume your DMZ servers are 10.1.1.1 and 10.1.1.2, your inside is 172.16.1.0/24 and the outside hosts are 200.1.1.1 and .2. All you should need is the following added to your existing ACL:

> access-list dmz-in permit ip host 10.1.1.1 host 200.1.1.0 255.255.255.252

> access-list dmz-in permit ip host 10.1.1.2 host 200.1.1.0 255.255.255.252

> access-list dmz-in permit ip host 10.1.1.1 172.16.1.0 255.255.255.0

> access-list dmz-in permit ip host 10.1.1.2 172.16.1.0 255.255.255.0

The implicit "deny everthing else" at the end will stop all other traffic. The last two lines in the ACL above probably already exist (or a subset of them).

Thank you for the reply.

I'll have to give it a whirl when I'm back in the office.

I just though I'd also need to have a nat (dmx) 0/1 something command in there to. How does the DMZ address space get NATed to the outside?

Thanks again, I appreciate your help.

Scott<-

Yes sorry, I assumed you already had that part working. Yes, you'll need something like:

> nat (dmz) 1 0 0 0

If you already have something like:

> global (outside) 1 x.x.x.x

> nat (inside) 1 0 0 0

then you can just add the "nat (dmz) 1...." line and it'll use the same global outside pool as the inside hosts use.

Perfect. I'll give it a whirl when I'm back in the office.

Thanks!!

Scott<-

So I must be missing something here.... I can't get out. )-;

If I dont have an ACL on my Inside to outside, and the Inside addresses can get out just fine, would I also not need anything for the DMZ to outside? So at this point I'm just trying to get the DMZ to be able to access the outside. Then I'll worry about narrowing it down.

Here is my config:

name 192.168.1.1 charlie_o

name 10.1.0.2 charlie_i

name 172.16.0.1 charlie_dmz

name 172.16.0.32 ftp-smtp_dmz

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.255.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0

access-list acl_dmz permit icmp any any echo-reply

access-list acl_dmz permit icmp any any time-exceeded

access-list acl_dmz permit icmp any any unreachable

access-list acl_dmz permit tcp any host ftp-smtp_o eq smtp

access-list acl_dmz permit tcp any host ftp-smtp_o eq ftp

ip address outside charlie_o 255.255.255.0

ip address inside charlie_i 255.255.0.0

ip address dmz charlie_dmz 255.255.255.0

global (outside) 1 192.168.1.50-192.168.1.170

global (outside) 1 192.168.1.20 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 1 172.16.0.0 255.255.255.0 0 0

static (dmz,outside) tcp ftp-smtp_o ftp ftp-smtp_dmz ftp netmask 255.255.255.255 0 0

static (dmz,outside) tcp ftp-smtp_o smtp ftp-smtp_dmz smtp netmask 255.255.255.255 0 0

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

access-group acl_outside in interface outside

access-group acl_dmz in interface dmz

Your access list acl_dmz doesn't permit much in. That acl, as it is bound to the inside of the dmz int will affect traffic leaving the dmz subnet, and going into the pix on the dmz int. Your statements pertaining to those machines accessibility to the internet need to be in the acl bound inbound to the outside int.

Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: