DMZ pix outside

When you have an access-group applied to an interface, it overrides the default behaviour of allowing traffic to go to lower security interfaces (which only applies if there is no access-group.)

Therefore if you want the DMZ to be able to communicate with the outside then you must add the appropriate ACL entries to DMZ_To_Inside .

Ok so I added the lines access-list DMZ_To_Inside line 5 extended permit tcp host website any eq www and access-list DMZ_To_Inside line 5 extended permit tcp host website any eq domain

Is there something else i am missing?

Thanks again for your help!!!

You are missing quoting context -- not many of the regular readers here use google groups as our primary newsreader, so the previous context is *not* usually immediately available.

Something that you did leave out there was the block on unwanted connections from your DMZ to your inside LAN: because 'any' includes the IP range of your inside network, that ACL allows host website to contact any www or domain servers on the inside that it can get a translation to.

Another thing to be aware of is that a lot of sites block DNS over TCP, and for basic transactions, DNS will try UDP first unless it has good reason to suspect that the reply will be more than 512 bytes long (possible but not that common for routine host lookups.) I would thus suggest you permit udp to domain before the tcp to domain ("before" merely under the principle that you should have the most common cases at the top of the list unless you are using compiled ACLs.)

I notice that you must be using PIX 7.x as PIX 6 and earlier did not have 'extended' access lists. The usual rule of thumb applies: "Never use a dot-zero release on a production system: wait a couple of dot releases for the major bugs to be found and fixed."

To add to what Walter has posted in regards to your to entries:

access-list DMZ_To_Inside line 5 extended permit tcp host website any eq www access-list DMZ_To_Inside line 5 extended permit tcp host website any eq domain

Since this allows 'website' to ANY address it may have a translation for on these two ports, a common way to lock it down to just internet traffic would be to statically permit any inside/private communications you may want to permit from this server, then following that, deny destination to ALL private addressing, and then add the lines you've specified. By doing this, you explicitly permit particular IP-to-IP on port www/domain, then deny all other PRIVATE addresses, then permit all public IP's for ports www/domain.

This is just one way I've seen it done, I'm sure there are others, but this seems to cover most of it. But this does also open you up to ALL the internet. If you wanted to be even more paranoid, you could block particular IP ranges that may be out of the scope of your website, if any. For instance, if you know you'll only get US traffic, you could block IP ranges outside the US, etc. etc.

Lastly, 7.1 has been released, so you do have some revisions, but its still so new, most people are still waiting a little while before going the 7.x route - so be warned that you could also experience bugs or security flaws in the version you're running.

Ryan

Thanks for the updates. I will let you know if I have more issues.

The reason i am at 7.0 is because i am using an ASA and the ASA comes with 7.

Thanks!!!

Guys Thanks for the help. I believe the problem was with that i was

One more question, What is 'quoting context' I always use google groups. Do you recommend a different way.

Thanks again

The portion of your posting that I quoted above provides the context for this, my reply. The quotation was trimmed down to the parts that were relevant to this portion of the discussion.

This particular style is called "mid-posting", because my replies are in the middle of quotations of different points that I am replying to.

There is also a disreputable style called "top-posting" in which one puts all of one's answer first and then quotes the entire posting one was replying to (without trimming out the irrelevant parts); there is a much-less-used but still uncouth style called "bottom-posting" which involves quoting the entire posting one is replying to first and then putting one's reply at the bottom. (If the original message was very short, bottom posting and mid-posting may come out the same, but top-posting never comes out the same as mid-posting.)

People who read a lot of Usenet messages usually end up using a dedicated piece of software which is generically known as a "Usenet newsreader". A good newsreader is much faster and gives much more control than using the google interface -- but if you only read and post a few messages sporadically, learning a newsreader might not be worth the time investment. Once one has gotten accustomed to a good newsreading program, the google interface seems pretty frustrating as a way to keep on top of any substantial message volume.

Ah, your Subject: specifically indicated PIX. It is best to distinguish between the two, so that people don't end giving you irrelevant advice.

Thanks for the help!!!

I only put it in the pix newsgroup because it is using the pix software. Next time i will be more specific.