PIX 525 inbound outbound acl mix

- G
- gfrankliu
  
  Contact options for registered users
posted
14 years ago

Sat, May 9, 2009 4:35 PM

How to control traffic between dmz and inside using pix 525 without NAT? Let's say if I want dmz to be able to access one IP/port one the inside network. Do I need to add an entry to the inbound acl on the dmz interface AND outbound acl on the inside interface since the packet comes in from the dmz and out to the inside network from the inside interface? Or does pix only check one acl (eg: inbound acl on dmz) and if it passes, the packet will be let go through the firewall even though other acl (eg: outbound acl on inside interface) doesn't explicitly allow it? I see all inbound and outbound ACL groups have a last line implicit deny rule.

Loading thread data ...

- S
- Shawn Westerhoff
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Mon, May 11, 2009 2:49 PM

The inside network has a security of 100, so it can reach DMZ (assume you se that to 50) and outside (0) without an outbound ACL, unless you are specifically limiting the outbound traffic from the inside.

You need a NAT statement for the inside to be reachable from the DMZ as well, but the line can use the same IP addresses:

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50

static (inside,DMZ) 192.168.5.0 255.255.255.0 192.168.5.0

255.255.255.0

Then you would have an ACL from DMZ to allow that one IP.

access-list DMZ-out permit tcp any host 192.168.5.10 eq 25 access-list DMZ-out deny ip any 192.168.5.0 255.255.255.0 access-list DMZ-out permit ip any any access-group DMZ-out in interface DMZ

Happy to help, need your config and PIX OS version.

Shawn

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.