Firewall Wizards mailing list archives

Re: New to Cisco PIX/ ASA

From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 2 Aug 2007 00:59:22 -0400

On 8/1/07, Keith A. Glass <salgak () speakeasy net> wrote:

Am I correct in my understanding that if I want two-way traffic, traffic is
not blocked to a lower trust level, so I need only write a rule to pass the
traffic between the endpoints from the external interface to the internal
interface, and the reply traffic is taken care of ??  Or do I have to write
a reverse rule, from the internal interface to the external as well ???


PIX/ASA are 'stateful' firewalls meaning that if the initiating SYN
packet is allowed via explicit (or in the case of interface security
levels, implicit) policy, return traffic will be allowed by virtue of
the state table.

I am going to attempt a lousy ASCII diagram because Visio just doesn't
work for mailing lists.

Case 1: Outbound Traffic To Internet

client:1024 ---> Eth0/0(security 100)--Eth1/0(security 0) --->
external web site:80
[ no access-list is needed by default because of security levels,
however specifying one is a good idea for a number of reasons that
probably aren't worth getting into here in this brace]
external web site:80 ---> Eth1/0(security 0)--Eth0/0(security 100)
---> client:1024
[ no access-list is needed for return traffic because this connection
is in the state table.  were there no table entry matching client:1024
to webserver:80, this traffic would be dropped just like a NetScreen,
Check Point, SonicWall - but maybe not Gauntlet]

Case 2: Inbound Traffic From Internet
client:1024 ---> Eth1/0(security 0)--Eth0/0(security 100) --->
internal web site:80
[ this requires an access-list and probably also a static nat and more
- read the manual]
internal web site:80 ---> Eth0/0(security 100)--Eth1/0(security 0)
---> client:1024
[ assuming the access-list is in place above, his return traffic is
also allowed because of the state table]

It's also worth mentioning that if you have Internet-facing servers
they belong in a DMZ, which adds an additional level of complexity
(but also security!) here.  A good rule of thumb when dealing with
PIX/ASA is to all but ignore the interface security levels and build
explicit access-list rules for all of the traffic you want to allow
and deny.  This reduces mistakes and also makes auditing
configurations and analyzing logs easier down the road.  It's worth
the effort to do it right right now.


Good luck!
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: ***SPAM*** Re: IPv6 support in firewalls, (continued)
- - - Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
    - Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
    - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
    - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
    - Re: IPv6 support in firewalls Paul Melson (Aug 23)
- Re: New to Cisco PIX/ ASA Paul Melson (Aug 21)