Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Only Allow DMZ Host to access specific IPs on the outside

I'm trying to secure some of my DMZ hosts and was thinkging that the Web/FTP server does not need to originate any communications with the outside world, they are only there to give info when spoken to.

Though I'd like them to be able to start a conversation with a few of our local outside hosts. I'd like to set up the PIX 515 so the hosts can only communicate with a specific subnet on the outside.

I have communications from the DMZ to the inside and from Inside to DMZ.

Thanks,

Scott<-

6 REPLIES
Cisco Employee

Re: Only Allow DMZ Host to access specific IPs on the outside

Just add an ACL inbound on the DMZ interface (actually if you say you already have access from the DMZ to inside then you must already have an ACL on your DMZ). Let's assume your DMZ servers are 10.1.1.1 and 10.1.1.2, your inside is 172.16.1.0/24 and the outside hosts are 200.1.1.1 and .2. All you should need is the following added to your existing ACL:

> access-list dmz-in permit ip host 10.1.1.1 host 200.1.1.0 255.255.255.252

> access-list dmz-in permit ip host 10.1.1.2 host 200.1.1.0 255.255.255.252

> access-list dmz-in permit ip host 10.1.1.1 172.16.1.0 255.255.255.0

> access-list dmz-in permit ip host 10.1.1.2 172.16.1.0 255.255.255.0

The implicit "deny everthing else" at the end will stop all other traffic. The last two lines in the ACL above probably already exist (or a subset of them).

New Member

Re: Only Allow DMZ Host to access specific IPs on the outside

Thank you for the reply.

I'll have to give it a whirl when I'm back in the office.

I just though I'd also need to have a nat (dmx) 0/1 something command in there to. How does the DMZ address space get NATed to the outside?

Thanks again, I appreciate your help.

Scott<-

Cisco Employee

Re: Only Allow DMZ Host to access specific IPs on the outside

Yes sorry, I assumed you already had that part working. Yes, you'll need something like:

> nat (dmz) 1 0 0 0

If you already have something like:

> global (outside) 1 x.x.x.x

> nat (inside) 1 0 0 0

then you can just add the "nat (dmz) 1...." line and it'll use the same global outside pool as the inside hosts use.

New Member

Re: Only Allow DMZ Host to access specific IPs on the outside

Perfect. I'll give it a whirl when I'm back in the office.

Thanks!!

Scott<-

New Member

Re: Only Allow DMZ Host to access specific IPs on the outside

So I must be missing something here.... I can't get out. )-;

If I dont have an ACL on my Inside to outside, and the Inside addresses can get out just fine, would I also not need anything for the DMZ to outside? So at this point I'm just trying to get the DMZ to be able to access the outside. Then I'll worry about narrowing it down.

Here is my config:

name 192.168.1.1 charlie_o

name 10.1.0.2 charlie_i

name 172.16.0.1 charlie_dmz

name 172.16.0.32 ftp-smtp_dmz

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.255.0

access-list inside_nat permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0

access-list acl_dmz permit icmp any any echo-reply

access-list acl_dmz permit icmp any any time-exceeded

access-list acl_dmz permit icmp any any unreachable

access-list acl_dmz permit tcp any host ftp-smtp_o eq smtp

access-list acl_dmz permit tcp any host ftp-smtp_o eq ftp

ip address outside charlie_o 255.255.255.0

ip address inside charlie_i 255.255.0.0

ip address dmz charlie_dmz 255.255.255.0

global (outside) 1 192.168.1.50-192.168.1.170

global (outside) 1 192.168.1.20 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (dmz) 1 172.16.0.0 255.255.255.0 0 0

static (dmz,outside) tcp ftp-smtp_o ftp ftp-smtp_dmz ftp netmask 255.255.255.255 0 0

static (dmz,outside) tcp ftp-smtp_o smtp ftp-smtp_dmz smtp netmask 255.255.255.255 0 0

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

access-group acl_outside in interface outside

access-group acl_dmz in interface dmz

Silver

Re: Only Allow DMZ Host to access specific IPs on the outside

Your access list acl_dmz doesn't permit much in. That acl, as it is bound to the inside of the dmz int will affect traffic leaving the dmz subnet, and going into the pix on the dmz int. Your statements pertaining to those machines accessibility to the internet need to be in the acl bound inbound to the outside int.

Matt

364
Views
0
Helpful
6
Replies