Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX Lan-to-DMZ connectivity

Reply
Thread Tools

PIX Lan-to-DMZ connectivity

 
 
p.dutton@soulmedia.co.uk
Guest
Posts: n/a
 
      03-19-2007
Hi there,

We have a PIX 506E and have recently set up a DMZ. Currently machines
in the DMZ and the LAN can both access the internet. I have entered a
NAT 0 command and access-list to enable communication from a machine
on the LAN to a machine on the DMZ, but I thought that because the DMZ
have a lower security, any machines on an interface with higher
security should, by default, have access to interfaces of lower
security. Is this the case?

I don't want to go through entering individual access-list commends
for each machine that would need to access the DMZ if there is an
easier way of doing it.

Thanks for your help,

Peter

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      03-19-2007
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:

>We have a PIX 506E and have recently set up a DMZ. Currently machines
>in the DMZ and the LAN can both access the internet. I have entered a
>NAT 0 command and access-list to enable communication from a machine
>on the LAN to a machine on the DMZ, but I thought that because the DMZ
>have a lower security, any machines on an interface with higher
>security should, by default, have access to interfaces of lower
>security. Is this the case?


Yes, but in order for that access to work, the PIX needs to know
what address translation to use when going from the inside to the
DMZ. That's accomplished by using a 'static' command, or by
using a 'nat 0 access-list', or by using a nat/global pair.

Also, keep in mind that UDP is effectively two unidirectional
connections, one from the inside to the DMZ and the other from
the DMZ to the inside. If the inside host initiated a UDP
connection towards the DMZ, then by default (if there is no
access-group applied to the inside interface) the flow would
be permitted and replies from the DMZ to the inside would be permitted
until the UDP flow timed out according to the PIX 'timeout' parameters.
But UDP does not have "connections" so the PIX cannot tell whether
silence on the UDP flow is because the flow is finished or because
the two ends just don't have anything to say right then. If the flow
goes idle for a while and the PIX times it out, and then the DMZ host
tries to send something back to the inside, it will not be permitted:
the PIX will see those packets as if they were a new flow from the
DMZ to the inside that should be blocked by default.
 
Reply With Quote
 
 
 
 
soulmedia
Guest
Posts: n/a
 
      03-19-2007
On 19 Mar, 13:52, (E-Mail Removed) (Walter Roberson) wrote:
> In article <(E-Mail Removed) .com>,
>
> <(E-Mail Removed)> wrote:
> >We have a PIX 506E and have recently set up a DMZ. Currently machines
> >in the DMZ and the LAN can both access the internet. I have entered a
> >NAT 0 command and access-list to enable communication from a machine
> >on the LAN to a machine on the DMZ, but I thought that because the DMZ
> >have a lower security, any machines on an interface with higher
> >security should, by default, have access to interfaces of lower
> >security. Is this the case?

>
> Yes, but in order for that access to work, the PIX needs to know
> what address translation to use when going from the inside to the
> DMZ. That's accomplished by using a 'static' command, or by
> using a 'nat 0 access-list', or by using a nat/global pair.
>
> Also, keep in mind that UDP is effectively two unidirectional
> connections, one from the inside to the DMZ and the other from
> the DMZ to the inside. If the inside host initiated a UDP
> connection towards the DMZ, then by default (if there is no
> access-group applied to the inside interface) the flow would
> be permitted and replies from the DMZ to the inside would be permitted
> until the UDP flow timed out according to the PIX 'timeout' parameters.
> But UDP does not have "connections" so the PIX cannot tell whether
> silence on the UDP flow is because the flow is finished or because
> the two ends just don't have anything to say right then. If the flow
> goes idle for a while and the PIX times it out, and then the DMZ host
> tries to send something back to the inside, it will not be permitted:
> the PIX will see those packets as if they were a new flow from the
> DMZ to the inside that should be blocked by default.


That makes sense. Many thanks for your advice; I now have it working
using the nat/global config you suggested.

Thanks again,

Peter

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
No LAN connectivity on Pix 515E yoplayaa@aol.com Cisco 5 04-30-2007 01:44 PM
PIX 506e VPN Connectivity wtpandar Cisco 1 09-11-2006 03:46 AM
Problem with PIX/WAP connectivity dilan.weerasinghe@gmail.com Cisco 1 09-10-2006 10:45 AM
PIX problem - clear xlate fixes connectivity Ben Beechick Cisco 1 10-15-2005 10:19 PM
Re: Cisco PIX 515 Connectivity problem Walter Roberson Cisco 3 10-20-2003 05:25 PM



Advertisments