1. Home
  2. Cisco Systems
  3. PIX access-list and security-level question

PIX access-list and security-level question

Hi,

I have the following pix configuration

interface e0 nameif outside security-level 0 ip address 1.1.1.1

interface e1 nameif dmz security-level 50 ip address 2.2.2.1

interface e2 nameif inside security-level 100 ip address 3.3.3.1

access-list dmz-in permit tcp host 2.2.2.50 host 3.3.3.50 eq 514 access-group dmz-in in interface dmz

static (dmz,outside) 2.2.2.0 2.2.2.0 netmask 255.255.255.0 static (inside,dmz) 2.2.2.0 2.2.2.0 netmask 255.255.255.0

  1. access-list needs to be implemented from dmz to inside
  2. the hosts behind dmz need to be able to go to the internet

my question is:

Because dmz has higher security level than outside, with static implemented, will it be able to go to the internet, even there are access-lists applied in dmz interface?, thanks

Reply to
wang.wennywang
Loading thread data ...

Looks like a PIX 7.x configuration. It helps if you specify your software version when you post questions.

No. The rule about going to a lower security level only applies if there is no access-group applied to the interface.

That permits only 'shell' access. Chances are that you will also want the 'exec' service, TCP 512.

The access list you showed does not permit access to anything other than that one port on that one host. Amongst other things, it does not permit access to any DNS server.

That 'static' says that if you have a host on the 'inside' that is numbered in the 2.2.2/24 range, then it is to be accessible to the dmz at exactly the same IP address. The problem with that is that your 'inside' IP range has no hosts in the

2.2.2/24 range -- all of those hosts are in the DMZ, not 'inside'.
Reply to
Walter Roberson

Yes, the pix sw version is 7.1, can you reference any reading material of how to connect from dmz to internet and inside?, thanks.

Reply to
wang.wennywang

Cisco has online documentation,

formatting link
The Configuration Guide in particular should be useful.

As a quick summary: outgoing -source- addresses are normally translated when going from a higher security interface to a lower security interface, and incoming -destination- addresses are normally translated when going from a lower security interface to a higher security interface.

If you want to be able to connect from a lower security interface to a higher security interface, you need a static that tells the PIX which "public" destination IP address corresponds to which "private" destination IP address. The command for that is

static (inside,dmz) ADDRESSDMZSEES INSIDEADDRESS netmask APPROPRIATNETMASK

for example,

static (inside,dmz) 3.3.3.50 3.3.3.50 netmask 255.255.255.255

Reply to
Walter Roberson

Let me answer my own question,

remove inbound access-list in interface dmz apply outbound access-list in inside interface

access-list inside permit tcp host 2.2.2.50 host 3.3.3.50 eq 514 access-group inside out interface inside

this should allow all traffic from dmz to internet, and allow dmz / outside interface to inside base on access-list.

Any comments are welcome, thanks

Reply to
swk

For future reference: applying access groups "out" an interface is new as of PIX 7.0, so if you find yourself using PIX 6.x devices, you will need to use the other approach.

Reply to
Walter Roberson

Is there other approach you can suggest?, thanks.

Reply to
swk

Your message appears without context. Not many of the people who regularily answer questions here use googlegroups as their primary newsreader, so previous messages in this thread are NOT "right there" and visible.

In any case, I already gave the PIX 6.x solution in another branch of this thread, in message

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.