Firewall Wizards mailing list archives
Re: PIX access-list help
From: "Avishai Wool" <yash () acm org>
Date: Tue, 25 Dec 2007 00:11:13 +0200
Brian, You probably also need a "static (inside, dmz)" command to configure the NAT for traffic from a lower security level (the dmz) to the higher (== inside). You must have the "static" even if you don't want to actually change the addresses - in that case the "translate from" and "translate to" addresses will be the same. the "static" informs the PIX which inside IP addresses are at all visible from the dmz side. I think Cisco removed the requirement to always have a "static" with v7.0 but in v6.3 you still need it. HTH, Avishai On 12/21/07, Brian Blater <brb.lists () gmail com> wrote:
I'm a little befuddled with PIX access lists and need some help and understanding. I have a PIX 515 version 6.3(3) with 3 interfaces - outside, inside, dmz. Up til now I have only been using the outside and inside interface. I have started configuring the dmz interface and have set it at security50 (outside = 0, inside = 100). I currently have only an access-list on the outside interface allowing some specific traffic in to the inside network. Right now the inside and dmz can talk to the internet just fine and the inside can talk to the dmz network fine. However, I want to implement an access-list on the dmz interface and this is where the problems start. If I assign an access list to the dmz port to allow smtp from a dmz host to the inside mail server I no longer have communication to the internet from the dmz and the inside cannot talk to the dmz because of the implicit deny of the access list. So, my main question, is there an access list command I can have that basically says "allow all communication from the dmz to the internet" and one that says "allow communication from the inside to the dmz"? I know I can add "access-list dmz permit ip host 192.168.1.1 any" and that solves the problem of getting to the internet, but then it opens all communication to the inside from this host and I don't want to do that. Since this is version 6.3(3) I can't use an out access-list which I think might solve the problem. I have enough memory to run version 7.x on this PIX, but I'm trying to tackle one problem at a time and I'm a little hesitant about doing the 7.x upgrade just yet. I have more questions, but I think I start here for now and ask the other questions when they are more relevant. Thanks for your help, Brian _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- Avishai Wool, Ph.D., Co-founder and Chief Technical Officer http://www.algosec.com ******* Firewall Management Made Smarter ****** _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX access-list help Brian Blater (Dec 24)
- Re: PIX access-list help Fetch, Brandon (Dec 26)
- Re: PIX access-list help Fetch, Brandon (Dec 26)
- Re: PIX access-list help Farrukh Haroon (Dec 26)
- Re: PIX access-list help kevin horvath (Dec 26)
- Re: PIX access-list help Paul Melson (Dec 26)
- Re: PIX access-list help Brian Blater (Dec 26)
- Re: PIX access-list help Avishai Wool (Dec 26)