Re: access-list on Pix 515E

fmemevegny · ‎09-03-2004

I have a Pix 515E with a configuration in attached file. This configuration run correctly with the following access-list, because I want to accept only SMTP traffic to come on my inside network via the Proxy server ALPHA located on the DMZ :

access-list dmz-acl permit tcp host ALPHA any eq smtp

access-list dmz-acl permit ip host ALPHA any

access-list outside-acl permit tcp any host Trans_ALPHA eq smtp

access-list outside-acl permit ip any host Trans_ALPHA

But somebody tell me that the IP access-list above are too extensive, and can exhibit my LAN.

When I remove these two IP access-list, the users can not have http access.

How can I do.

Normally, my config must run correctly with the two TCP access-list. I don't know why it don't works without these two IP access-list.

Can someone help me ?

Regards

mostiguy · ‎09-03-2004

You want to edit out the password lines from any config you post.

Access-list outside-acl should not need

access-list outside-acl permit ip any host Trans_ALPHA

access-list dmz-acl should not need

access-list dmz-acl permit ip host ALPHA any log

Where are your users who cannot access http? If they are on the inside, they should not have any issues making outbound connections, because there is not an ACL bound to the inside interface, inhibited outbound connections, and the PIX is stateful, so it will allow the return traffic of their outbound connections.

fmemevegny · ‎09-03-2004

Hello

Thank you very much for your help. I will remove the password line before long. I just change the current password.

You advise me to keep the ACL :

access-list outside-acl permit ip any host Trans_ALPHA

access-list dmz-acl permit ip host ALPHA any log

Someone just tell me to remove the line "access-list outside-acl permit ip any host Trans_ALPHA" because this line opens all IP protocol to any on the Internet.

What do you think about ?

The users who cannot access http are on the inside.

Regards

piseli · ‎09-03-2004

Remove just this line:

access-list outside-acl permit ip any host Trans_ALPH

This line opens all IP protocol to any on the internet.

So this means you are wide open in the DMZ. After removing this line the only protocol that is acessable from the Internet is SMTP.

To add http access in the DMZ servers use:

access-list outside-acl permit tcp any host Trans_ALPHA eq http

Is it that what you wants to do ?

sincerly

Patrick

fmemevegny · ‎09-03-2004

Hello Patrick

Thank you very much for your help.

I will test your advice, but do you think the inside users can receive their e-mails if I remove this ACL ?

Regards

Ferdinand

piseli · ‎09-03-2004

Ferdinand,

There should not be any problem. Remember from a higher security level to a lower security level you do not need an access-list.

See bellow:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

So from the inside interface to your DMz and outside interface you do not need an access-list to acessess the Server.

sincerly

Patrick