Have traffic access net from dmz with access-list applied

Discussion in 'Cisco' started by Todd Eddy, Sep 15, 2006.

  1. Todd Eddy

    Todd Eddy Guest

    we upgraded from a pix 520 v6.3 to a pix 525 v7.1. The first thing I
    noticed was the lack of a conduit command. I've mentioned this to my
    boss several times in the past that conduits were deprecated and had the
    "if it ain't broke don't fix it" speech. Well now it's broke.

    Right now I just have permit ip any any on all the interfaces and that's
    solving it in the interim, but obviously want to lock that down. Here's
    what I've tried so far, some things have been scrubbed:

    access-list IN_DMZ4 remark machines that talk to internal servers
    access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
    192.168.x.x eq 222
    access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
    192.168.x.x eq 555
    access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
    192.168.x.x eq 555
    access-list IN_DMZ4 extended permit ip any interface outside
    access-list IN_DMZ4 extended permit ip any any
    access-group IN_DMZ4 in interface dmz4

    now I see hit counts to the specific hosts all correctly but the ip any
    any is still getting a ton of traffic. When i turn on logging here's
    the output I get (removed as much "fluff" from the logs as I could):

    access-list IN_DMZ4 permitted udp dmz4/66.xx.xx.xx(61678) ->
    outside/67.xx.xx.xx(53)
    access-list IN_DMZ4 permitted udp dmz4/66.xx.xx.xx(61679) ->
    outside/67.xx.xx.xx(53)
    access-list IN_DMZ4 permitted tcp dmz4/66.xx.xx.xx(54446) ->
    outside/206.xx.xx.xx(25)
    access-list IN_DMZ4 permitted tcp dmz4/66.xx.xx.xx(54447) ->
    outside/206.xx.xx.xx(25)

    the hit count for the permit ip any interface outside is 0. Shouldn't
    this traffic match that rule since it's destined for the outside network?

    I know in 7.1 you can bind an access-list to outgoing traffic. I would
    then drop the current access-group, make an OUT_INSIDE ACL and bind it
    to traffic going out interface inside and then it's just using standard
    security level rules again. Problem is I'm thinking ahead and both of
    our other sites still have pix520's running v6.3, so being able to bind
    an acl to traffic going out an interface isn't going to work there. The
    one I rebuilt the config, bypassing conduits and using a permit ip any
    any with a deny above it to deny traffic to local interface so that it
    worked, but wasn't sure if that was the correct way of doing things.
    Let me explain it here, using that logic for this one, with several
    other dmz's I'd have to make an access-list like this:

    access-list IN_DMZ4 remark machines that talk to internal servers
    access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
    192.168.x.x eq 222
    access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
    192.168.x.x eq 555
    access-list IN_DMZ4 extended permit tcp host 66.xx.xx.xx host
    192.168.x.x eq 555
    access=list IN_DMZ4 extended deny ip any 192.168.x.x 255.255.255.0
    access=list IN_DMZ4 extended deny ip any 89.xx.xx.xx 255.255.255.0
    access=list IN_DMZ4 extended deny ip any 128.xx.xx 255.255.255.0
    access=list IN_DMZ4 extended deny ip any 42.xx.xx 255.255.255.0
    access-list IN_DMZ4 extended permit ip any any
    access-group IN_DMZ4 in interface dmz4

    so I'm first denying traffic to all the other networks on the pix that
    is doesn't need to talk to, and then permitting everything else. Would
    that be the correct syntax that would be both 6.3 and 7.x compatible?
    Trying to make things as universal across all three sites as possible.
    thanks for any information.
    Todd Eddy, Sep 15, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    809
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,851
    Walter Roberson
    Sep 25, 2005
  3. Tom
    Replies:
    4
    Views:
    541
  4. morten
    Replies:
    4
    Views:
    1,149
    Tilman Schmidt
    Sep 4, 2007
  5. colin
    Replies:
    0
    Views:
    758
    colin
    May 6, 2010
Loading...

Share This Page