PIX 525 inbound outbound acl mix

Discussion in 'Cisco' started by gfrankliu, May 9, 2009.

  1. gfrankliu

    gfrankliu Guest

    How to control traffic between dmz and inside using pix 525 without
    NAT?
    Let's say if I want dmz to be able to access one IP/port one the
    inside network. Do I need to add an entry to the inbound acl on the
    dmz interface AND outbound acl on the inside interface since the
    packet comes in from the dmz and out to the inside network from the
    inside interface? Or does pix only check one acl (eg: inbound acl on
    dmz) and if it passes, the packet will be let go through the firewall
    even though other acl (eg: outbound acl on inside interface) doesn't
    explicitly allow it? I see all inbound and outbound ACL groups have a
    last line implicit deny rule.
     
    gfrankliu, May 9, 2009
    #1
    1. Advertisements

  2. The inside network has a security of 100, so it can reach DMZ (assume
    you se that to 50) and outside (0) without an outbound ACL, unless you
    are specifically limiting the outbound traffic from the inside.

    You need a NAT statement for the inside to be reachable from the DMZ
    as well, but the line can use the same IP addresses:

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50



    static (inside,DMZ) 192.168.5.0 255.255.255.0 192.168.5.0
    255.255.255.0

    Then you would have an ACL from DMZ to allow that one IP.

    access-list DMZ-out permit tcp any host 192.168.5.10 eq 25
    access-list DMZ-out deny ip any 192.168.5.0 255.255.255.0
    access-list DMZ-out permit ip any any
    access-group DMZ-out in interface DMZ

    Happy to help, need your config and PIX OS version.

    Shawn
     
    Shawn Westerhoff, May 11, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.