Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Outside Restrictions to DMZ

I am trying to deny a IP address from connecting to my Mail Filter located in the DMZ, I have a PIX 515e. My Mail Filter is being attacked and i want to prevent the Attacking IP for connecting to it.

Here is my Current DMZ Conf.

nameif ethernet2 dmz security4

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.203 eq smtp

access-list ACL_DMZ permit tcp host 192.168.0.10 10.1.1.0 255.255.255.0 eq 8000

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.210 eq domain

access-list ACL_DMZ permit tcp host 192.168.0.10 host 10.1.1.211 eq domain

access-list ACL_DMZ permit icmp host 192.168.0.10 10.1.1.0 255.255.255.0

access-list ACL_DMZ permit udp any any

access-list ACL_DMZ permit tcp any any

access-list ACL_DMZ permit tcp host 192.168.0.10 10.1.2.0 255.255.255.0 eq 8000

access-list ACL_DMZ permit icmp host 192.168.0.10 10.1.2.0 255.255.255.0

access-list ACL_DMZ deny ip host 65.84.81.240 any

access-group ACL_DMZ in interface dmz

Thank you for your assistance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Outside Restrictions to DMZ

I'm assuming at 65.84.81.240 is the IP you want to block from hitting your mail server. The line above it is permitting it, so you will need to move this line:

access-list ACL_OUTSIDE deny ip host 65.84.81.240 any

above this line:

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

To do that you will have to remove each and then add in the correct order. It would be best to do that in notepad and then copy-n-paste into the firewall.

For example:

no access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

This will remove then add the line to the bottom of the ACL.

5 REPLIES

Re: Outside Restrictions to DMZ

If you want to block an intruder from the outside in to your DMZ, you need to adjust your outside ACL, not the DMZ ACL. The ACL above and the way it is applied determines what machines on your DMZ are allowed to out of the DMZ interface.

HTH and please rate.

Community Member

Re: Outside Restrictions to DMZ

This is part of my Outside ACL, Please take a look and see if you can see any problems.

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

access-list ACL_OUTSIDE deny ip host 65.84.81.240 any

access-group ACL_OUTSIDE in interface outside

Thanks

Re: Outside Restrictions to DMZ

I'm assuming at 65.84.81.240 is the IP you want to block from hitting your mail server. The line above it is permitting it, so you will need to move this line:

access-list ACL_OUTSIDE deny ip host 65.84.81.240 any

above this line:

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

To do that you will have to remove each and then add in the correct order. It would be best to do that in notepad and then copy-n-paste into the firewall.

For example:

no access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

access-list ACL_OUTSIDE permit tcp any host x.x.x.x eq smtp

This will remove then add the line to the bottom of the ACL.

Cisco Employee

Re: Outside Restrictions to DMZ

You are looking at the wrong access control list - attack traffic is most likely coming from the outside, so you need to block attack traffic with an access control entry for the access list applied to the outside interface. In other words, you do not need to modify the ACL applied to the DMZ interface because that's only used to control traffic that is generated by machines in the DMZ, not traffic destined to those machines.

A note about the access list called "ACL_DMZ": that ACL permits all TCP and UDP traffic - the "deny ip host 65.84.81.240 any" and the bottom of the ACL is not really doing anything.

Community Member

Re: Outside Restrictions to DMZ

Hi person,

Your access-list is not correctly organized.

The basic idea for all ACL is the following:

- Evaluate rules by rule, of top at down.

- When a rule match the packet under analysis, take the action of this rules.

- No more rules will be evaluated for this packet.

By this way, when the attacker`s traffic pass through your pix, will be evaluated against rules and certainly will be matched by the rule

"access-list ACL_DMZ permit udp any any"

or

"access-list ACL_DMZ permit tcp any any"

The correct practice is to place the "permit tpc|udp any any" as last rules in the ACL.

Then the deny will be evaluated and matched (for the attacker`s traffic) and other all traffic will be pass throug your pix.

Regards,

Me.

177
Views
0
Helpful
5
Replies
CreatePlease to create content