Firewall Wizards mailing list archives

Re: PIX access-list help

From: "Avishai Wool" <yash () acm org>
Date: Tue, 25 Dec 2007 00:11:13 +0200

Brian,

You probably also need a "static (inside, dmz)" command to
configure the NAT for traffic from a lower security level (the dmz)
to the higher (== inside). You must have the "static" even if you
don't want to actually change the addresses - in that case
the "translate from" and "translate to" addresses will be the same.
the "static" informs the PIX which inside IP addresses are
at all visible from the dmz side.

I think Cisco removed the requirement to always have a "static" with v7.0
but in v6.3 you still need it.

HTH,
 Avishai

On 12/21/07, Brian Blater <brb.lists () gmail com> wrote:

I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



-- 
Avishai Wool, Ph.D.,  Co-founder and Chief Technical Officer
               http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX access-list help Brian Blater (Dec 24)
- Re: PIX access-list help Fetch, Brandon (Dec 26)
- Re: PIX access-list help Fetch, Brandon (Dec 26)
- Re: PIX access-list help Farrukh Haroon (Dec 26)
- Re: PIX access-list help kevin horvath (Dec 26)
- Re: PIX access-list help Paul Melson (Dec 26)
  - Re: PIX access-list help Brian Blater (Dec 26)
- Re: PIX access-list help Avishai Wool (Dec 26)