Help with access lists

acraick · ‎01-09-2007

Why oh why does Pix need to make things so difficult.......

I am segregting parts of my LAN with an ASA. So the firewall will be providing internet services plus i want to have a number of networks secured by the ASA (call them DMZs if you must)

I've setup security levels so that the traffic should flow correctly. The problem being that some of my interfaces on lower security levels need to talk to subnets on interfaces of higher security levels.

I could just place access lists on these outgoing interfaces to allow the traffic to the higher levels but the default deny at the end of these access lists then blocks these subnets from connecting to the internet i.e any but Internal.

Because of the default deny, i would have to put every IP address on the internet in my access list (no thanks!!) or permit everything and then just deny networks i dont specifically want these networks to speak to. What a pain !!!

Is there any better way to deal with such a situation ?

I really need something i can put in my acccess list that would say "allow to my outside interface and these other networks and deny everything else".

This would be so simple with Checkpoint but unfortunetly i'm not so crash hot with Pix.

Anyway thanks

hackworth.kenny · ‎01-09-2007

See if this helps you in any way.

I'm only speaking to PIX running 6.3(5) though. The way I've done this is with the following scenario:

interface(security) - ip

--------------------------

outside(0)- any ip

dmz1(25) - 192.168.1.0 /24

dmz2(50) - 192.168.2.0 /24

dmz3(75) - 192.168.3.0 /24

trusted(100) - 192.168.4.0/24

to enable dmz1 to talk to trusted on port 1433, not to any other segment, and to any outside.

All of the segments are set up with no_nat to enable the translations between interfaces.

ie.

access-list no_nat permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0

and so forth and so on.

nat (dmz1) 0 access-list no_nat

nat (dmz2) 0 access-list no_nat

etc...

Then for dmz1

access-group 100 in interface dmz1

Then for ACL 100

access-list 100 permit tcp 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 eq 1433

access-list 100 deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 deny ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 deny ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 100 permit ip any any

Like I said, only speaking to 6.3(5) on a PIX, but concept shouldn't change. Hope it helps.

acraick · ‎01-09-2007

Thanks for you inpuyy. I had thought of this but i have a heap of networks i'd need to deny making this quite tedious.

It also doesn't seem like good security practice to permit by default as if a new network is added then you need to modify all your ACLs again to deny access.

5220 · ‎01-09-2007

Hi, a correction:

With ASA/PIX you only need to specify the ACL on the interface the traffic is generated, the return is processed automatically, no matter the ACL on the return interface.

For example, for a PIX:

permit any in interface inside

deny any in interface outside

The traffic initiated on the inside (users) will go on the internet, and the return traffic WILL BE PERMITTED.

However, a INITIATED connection from the internet will not be petmitted.

The security numbers only apply when no ACL i s in place and then, with ACL, only for nat/static dichotomy.

Please rate if this helped.

Regards,

Daniel