Firewall Wizards mailing list archives
Re: New to Cisco PIX/ ASA
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 2 Aug 2007 00:59:22 -0400
On 8/1/07, Keith A. Glass <salgak () speakeasy net> wrote:
Am I correct in my understanding that if I want two-way traffic, traffic is not blocked to a lower trust level, so I need only write a rule to pass the traffic between the endpoints from the external interface to the internal interface, and the reply traffic is taken care of ?? Or do I have to write a reverse rule, from the internal interface to the external as well ???
PIX/ASA are 'stateful' firewalls meaning that if the initiating SYN packet is allowed via explicit (or in the case of interface security levels, implicit) policy, return traffic will be allowed by virtue of the state table. I am going to attempt a lousy ASCII diagram because Visio just doesn't work for mailing lists. Case 1: Outbound Traffic To Internet client:1024 ---> Eth0/0(security 100)--Eth1/0(security 0) ---> external web site:80 [ no access-list is needed by default because of security levels, however specifying one is a good idea for a number of reasons that probably aren't worth getting into here in this brace] external web site:80 ---> Eth1/0(security 0)--Eth0/0(security 100) ---> client:1024 [ no access-list is needed for return traffic because this connection is in the state table. were there no table entry matching client:1024 to webserver:80, this traffic would be dropped just like a NetScreen, Check Point, SonicWall - but maybe not Gauntlet] Case 2: Inbound Traffic From Internet client:1024 ---> Eth1/0(security 0)--Eth0/0(security 100) ---> internal web site:80 [ this requires an access-list and probably also a static nat and more - read the manual] internal web site:80 ---> Eth0/0(security 100)--Eth1/0(security 0) ---> client:1024 [ assuming the access-list is in place above, his return traffic is also allowed because of the state table] It's also worth mentioning that if you have Internet-facing servers they belong in a DMZ, which adds an additional level of complexity (but also security!) here. A good rule of thumb when dealing with PIX/ASA is to all but ignore the interface security levels and build explicit access-list rules for all of the traffic you want to allow and deny. This reduces mistakes and also makes auditing configurations and analyzing logs easier down the road. It's worth the effort to do it right right now. Good luck! PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: ***SPAM*** Re: IPv6 support in firewalls, (continued)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- Re: IPv6 support in firewalls Paul Melson (Aug 23)