Pix: DMZ has access to Inside with ACL defined for outside!

Discussion in 'Cisco' started by wineguyatl, Nov 14, 2003.

  1. wineguyatl

    wineguyatl Guest

    Pix 525 with 6.33 and PDm 3.01. Please no flack about the PDM. The
    limited skill set of all involved requires it be used.

    Now on to the problem.

    Inside= 10.10.12.x range
    outside= 68.x.x.x
    webdmz= 10.0.45.x range

    I have static nats assigned to dmz to the outside. No problem, it is
    possible to access the dmz from the outside IP's.

    What I want to do is allow the DMZ to go "out" to get ftp and other
    updates.

    When I do this, boxes in the dmz can access the INSIDE network! Here
    are the ACL's
    ============
    Inside Interface
    access-list inside_access_in permit ip host fwbuilder host
    fwbuilderNAT
    access-list inside_access_in permit ip object-group
    Full_Internet_Access any
    access-list inside_access_in remark Inside network access to all
    servers/protocols on WebDMZ
    access-list inside_access_in permit ip any object-group TestDMZservers

    outside interface
    access-list outside_access_in permit tcp host UUnetOutside host
    fwbldrdmzNat
    access-list outside_access_in permit ip host UUnetOutside host
    fwbuilderNAT

    webdmz interface
    access-list WEBDMZ_access_in permit tcp host fwbuilderDmz host
    fwbldrdmzNat
    access-list WEBDMZ_access_in permit tcp any any
    access-list WEBDMZ_access_in permit udp any eq domain any
    ==================

    The weird thing is that when I go into the PDM and defind the rule to
    allow webdmz to outside_access after the PDM processes it, the rule
    reads

    source network is Webdmz and the DEST network is the INSIDE, not
    outside.

    Without the rule allowing the DMZ to access the outside network which
    displays Inside to outside, not webdmz in the PDM , communication with
    the Outside interface isn't possible.

    But, as result of this rule it allows the webdmz to access machines on
    the Inside network.

    I do have an inside rule that allows all inside networks access to
    TestDMZservers, but not the reverse.

    Have an open ticket with cisco currently, but the tech really couldn't
    explain it. I realize that alot of the config is missing, but will
    post and sanitize it as needed.

    What am I missing here?
     
    wineguyatl, Nov 14, 2003
    #1
    1. Advertisements

  2. wineguyatl

    wineguyatl Guest

    I will answer my own question.

    It appears that the default security levels that are assigned to
    interaces on the Pix are active only IF there is NOT an access-list
    assigned to the interface.

    So if the interface's ACL is deleted, the Security levels will protect
    the pix.

    But, all it takes is a one line ACL and the security level protection
    is more/less turned off. That is why my DMZ can go to my "inside"
    interface networks. my ACL must have a "deny" to the inside networks.

    Funny, I don't have to do this on a checkpoint. by default, no traffic
    is allowed out of the DMZ or any interface unless it is specified.
     
    wineguyatl, Nov 18, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.