topic Re: dmz to outside access issues in Network Security

dmz to outside access issues

jspringfield — Mon, 11 Mar 2019 09:47:44 GMT

Hello,

I am having a problem where I want to open up access to servers in my DMZ to get outside while not giving the servers access to the inside (except in restricted situations)

for example say I wanted to give full access to a server in the DMZ to reach the outside. I might make the following rule...

static (dmz,outside) x.x.x.x y.y.y.y netmask 255.255.255.255

access-list dmz permit ip any any

access-group in interface dmz

the problem with this is that the ?permit any any? will also grant access to the inside of my network as well. Is there a way to make this work? I?ve been searching for a while and feel I?ve got a good grasp on how this all fits together, but have been unable to find the answer yet.

An example as to why I might want to do this is to have my servers in the DMZ get automatic windows updates. In that case they would need to be able to make connections to Microsoft on their own.

The PIX is Ver6.3(3)

Thank You,

Jeff

Re: dmz to outside access issues

acomiskey — Fri, 16 Mar 2007 18:47:49 GMT

You have to write the acl in the proper order. Allow what you want to allow to inside, deny everything else inside, then allow everything else. Make sense?

access-list dmz permit tcp any eq ???

access-list dmz deny ip any

access-list dmz permit ip any any

access-group dmz in interface dmz

Re: dmz to outside access issues

jspringfield — Fri, 16 Mar 2007 18:52:41 GMT

Thanks,

You are right. Funny thing was I just sat back a sec and then drew a picture of what I wanted to do and came up with that answer as well. Thanks for the reply acomiskey.

Re: dmz to outside access issues

acomiskey — Fri, 16 Mar 2007 18:54:25 GMT

Or, if you wanted to leave the ip any any you could create an acl "out interface inside" with the same process, but I like it better the other way. Now that you've got the concept down, you're good to go. Please rate if it helped.

Re: dmz to outside access issues

jspringfield — Fri, 16 Mar 2007 18:58:39 GMT

I was wondering if you could apply access-lists in the outboud direction on pix's. I think your first answer works better because it blocks traffic at the source.

Re: dmz to outside access issues

acomiskey — Fri, 16 Mar 2007 18:59:51 GMT

Yes, it is absolutely better, just thought it might help explain the concept a little more.

Re: dmz to outside access issues

Jon Marshall — Fri, 16 Mar 2007 19:02:45 GMT

The access-list on the DMZ as Adam suggested is the way to go.

For reference Pix v6.x does not support outbound access-lists but pix v7.0 does.

Jon

Re: dmz to outside access issues

acomiskey — Fri, 16 Mar 2007 19:04:32 GMT

^ oops, thanks jon