05-22-2007 07:31 AM - edited 03-11-2019 03:18 AM
a few questions:
1. Since the firewall is stateful, does this mean the if a connection is made from a higher security interface to a lower security interface (inside to DMZ), once the connection has been established, that the lower security interface (DMZ) can return the traffic?
2. Does an access-list applied inbound from the DMZ interface to the inside interface work like any access-list which means that implicit deny is at the end of the list? Anything not allowed on the list is denied?
I have a firewall with the list below inbound on the DMZ interface. The inside interface is allowing anything in the 10.0.0.0 subnet.
I have a server, 10.1.10.100 that can access the 192.168.100.5 server in the DMZ.
I do not see how this is so, with the access-list shown below. If the Stateful connection will allow anything from the 10.0.0.0 subnet (allowed on the inside interface), what good is the access-list doing?
access-list dmz permit icmp any any
access-list dmz permit tcp host 192.168.201.5 host 10.1.10.2
access-list dmz permit udp host 192.168.201.5 host 10.1.10.2
access-list dmz permit tcp host 192.168.201.5 host 10.1.10.1
access-list dmz permit udp host 192.168.201.15 host 10.1.10.2
access-list dmz permit tcp host 192.168.201.15 host 10.1.10.1
access-list dmz permit tcp host 192.168.201.5 host 10.1.10.3
rust
access-list dmz permit udp host 192.168.201.5 host 10.1.10.3
access-list dmz permit tcp host 192.168.201.5 host 10.1.10.30 o
RTS
access-list dmz permit tcp host 192.168.100.5 host 10.1.10.5 eq www
access-list dmz permit tcp host 192.168.100.5 host 10.1.10.5 eq https
access-list dmz deny ip any 10.0.0.0 255.0.0.0
access-list dmz permit tcp host 192.168.100.5 any eq https
access-list dmz permit tcp host 192.168.100.5 any eq smtp
access-list dmz permit tcp host 192.168.100.5 any eq www
access-list dmz permit icmp host 192.168.100.5 any object-group icmp
access-list dmz permit udp host 192.168.100.5 any eq domain
access-list dmz permit tcp host 192.168.100.5 any eq ftp
access-list dmz deny ip any 192.168.0.0 255.255.0.0
access-list dmz permit tcp any any eq www
access-list dmz permit tcp any any eq https
access-list dmz permit tcp any any eq ftp
access-list dmz permit udp any any eq domain
05-22-2007 07:38 AM
1. Yes
2. Yes
The access list is preventing traffic from originating from the dmz going to the inside. If you want to filter traffic originating from inside going to dmz, then deny this traffic in you inside acl.
05-22-2007 09:37 AM
Thanks for the reply,
So, the connection is made becuse it originated from the allowed subnet on the inside interface, correct?
The way the access-list is set up means that I could not originate the connection from the DMZ interface,but it is allowed a connection from the inside interface correct?
05-22-2007 10:31 AM
Yes. For example.
inside = 10.0.0.0
dmz = 192.168.1.0
access-list dmz deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-group dmz in interface dmz
In the above example, 10.0.0.0 would have no problems connecting to 192.168.1.0 as the firewall is stateful. But, 192.168.1.0 could not initiate connection to 10.0.0.0.
If I wanted to restrict access the dmz I would have to do this.
access-list inside deny ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list inside permit ip any any
access-group inside in interface inside
05-22-2007 10:45 AM
Thanks for the reply.
So one last thing:
Would the stateful connection also apply to file transfer?
For example if I want to copy files (using your example)from the 10.0.0.0 inside interface TO the DMZ 192.168.1.0 interface, this would be allowed because of the stateful connection?
And can you tell me why the connection is called "stateful", does it have something to do with the "state" of the originating connetion?
05-22-2007 10:55 AM
Yes, but you will notice it does not apply to icmp. Therefore if you wanted to ping a machine in the dmz you would have to allow the ping reply back into the dmz interface.
access-list dmz permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 echo-reply
Here, this probably explains it better than I can.
05-23-2007 07:55 AM
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide