Re: PIX 515E config - DMZ host to inside host

["Paul Melson" <pmelson () gmail com>]

> PIX newbie here, not really a firewall guy but need to get some stuff done
with it, and am pretty good 
> at basic configs. I have a 515E with 3 interfaces (inside, outside, DMZ)-
I need to allow access from a 
> host in the DMZ to an internal host.
>
> DMZ host - 10.134.1.2
> Internal host - 10.133.24.3

You're access-list should work:

access-list acl_dmz3 permit ip host 10.134.1.2 host 10.133.24.3 

But these lines are redundant:

access-list acl_dmz3 permit tcp host 10.134.1.2 host 10.133.24.3 
access-list acl_dmz3 permit udp host 10.134.1.2 host 10.133.24.3 

However, I think it would be better if you knew what protocols and ports
needed to be allowed and only allowed those:

access-list acl_dmz3 permit tcp host 10.134.1.2 host 10.133.24.3 eq 1521

(or whatever)

But it's probably a Windows server in the DMZ that needs to talk to a domain
controller on the inside, right?  So the port list is rediculously large and
inclusive enough that you'd only block closed ports on the internal server
anyway.

Anyway, your real problem is in your NAT configuration.  You need some
"no-nat" statements for traffic between the DMZ and the internal network.
Something like:

access-list nonat permit ip 10.134.1.0 255.255.255.0 10.133.0.0 255.255.0.0
access-list nonat permit ip 10.133.0.0 255.255.0.0 10.134.1.0 255.255.255.0
nat (internal) 0 access-list nonat
nat (dmz) 0 access-list nonat

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards