PIX Lan-to-DMZ connectivity

Discussion in 'Cisco' started by p.dutton@soulmedia.co.uk, Mar 19, 2007.

  1. Guest

    Hi there,

    We have a PIX 506E and have recently set up a DMZ. Currently machines
    in the DMZ and the LAN can both access the internet. I have entered a
    NAT 0 command and access-list to enable communication from a machine
    on the LAN to a machine on the DMZ, but I thought that because the DMZ
    have a lower security, any machines on an interface with higher
    security should, by default, have access to interfaces of lower
    security. Is this the case?

    I don't want to go through entering individual access-list commends
    for each machine that would need to access the DMZ if there is an
    easier way of doing it.

    Thanks for your help,

    Peter
     
    , Mar 19, 2007
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >We have a PIX 506E and have recently set up a DMZ. Currently machines
    >in the DMZ and the LAN can both access the internet. I have entered a
    >NAT 0 command and access-list to enable communication from a machine
    >on the LAN to a machine on the DMZ, but I thought that because the DMZ
    >have a lower security, any machines on an interface with higher
    >security should, by default, have access to interfaces of lower
    >security. Is this the case?


    Yes, but in order for that access to work, the PIX needs to know
    what address translation to use when going from the inside to the
    DMZ. That's accomplished by using a 'static' command, or by
    using a 'nat 0 access-list', or by using a nat/global pair.

    Also, keep in mind that UDP is effectively two unidirectional
    connections, one from the inside to the DMZ and the other from
    the DMZ to the inside. If the inside host initiated a UDP
    connection towards the DMZ, then by default (if there is no
    access-group applied to the inside interface) the flow would
    be permitted and replies from the DMZ to the inside would be permitted
    until the UDP flow timed out according to the PIX 'timeout' parameters.
    But UDP does not have "connections" so the PIX cannot tell whether
    silence on the UDP flow is because the flow is finished or because
    the two ends just don't have anything to say right then. If the flow
    goes idle for a while and the PIX times it out, and then the DMZ host
    tries to send something back to the inside, it will not be permitted:
    the PIX will see those packets as if they were a new flow from the
    DMZ to the inside that should be blocked by default.
     
    Walter Roberson, Mar 19, 2007
    #2
    1. Advertising

  3. soulmedia Guest

    On 19 Mar, 13:52, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >We have a PIX 506E and have recently set up a DMZ. Currently machines
    > >in the DMZ and the LAN can both access the internet. I have entered a
    > >NAT 0 command and access-list to enable communication from a machine
    > >on the LAN to a machine on the DMZ, but I thought that because the DMZ
    > >have a lower security, any machines on an interface with higher
    > >security should, by default, have access to interfaces of lower
    > >security. Is this the case?

    >
    > Yes, but in order for that access to work, the PIX needs to know
    > what address translation to use when going from the inside to the
    > DMZ. That's accomplished by using a 'static' command, or by
    > using a 'nat 0 access-list', or by using a nat/global pair.
    >
    > Also, keep in mind that UDP is effectively two unidirectional
    > connections, one from the inside to the DMZ and the other from
    > the DMZ to the inside. If the inside host initiated a UDP
    > connection towards the DMZ, then by default (if there is no
    > access-group applied to the inside interface) the flow would
    > be permitted and replies from the DMZ to the inside would be permitted
    > until the UDP flow timed out according to the PIX 'timeout' parameters.
    > But UDP does not have "connections" so the PIX cannot tell whether
    > silence on the UDP flow is because the flow is finished or because
    > the two ends just don't have anything to say right then. If the flow
    > goes idle for a while and the PIX times it out, and then the DMZ host
    > tries to send something back to the inside, it will not be permitted:
    > the PIX will see those packets as if they were a new flow from the
    > DMZ to the inside that should be blocked by default.


    That makes sense. Many thanks for your advice; I now have it working
    using the nat/global config you suggested.

    Thanks again,

    Peter
     
    soulmedia, Mar 19, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    885
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,918
    Walter Roberson
    Sep 25, 2005
  3. chackamakka

    Pix PPTP - access to LAN and DMZ

    chackamakka, Dec 6, 2006, in forum: Cisco
    Replies:
    1
    Views:
    541
    rdymek
    Dec 6, 2006
  4. Replies:
    5
    Views:
    675
  5. Jack
    Replies:
    0
    Views:
    705
Loading...

Share This Page