Re: Help understanding PIX acl's

boshardy1 · ‎01-05-2007

I have worked on PIX's for years and still have a hard as hell time understanding ACL's on a pix, specifically the direction to apply and how they are inspected.

If you read the books it always says inbound acl's are used to go from a lower to higher security interface, but then when you talk about a medium security interface (DMZ) the rules change. Can anyone point me to a doc or write a quick tutorial.

Seems like all ACL's are applied in the inbound direction. Does this mean that it is checked for any traffic coming into the interface?

kamal-learn · ‎01-05-2007

hi

inbound/outbound concepts !!

inbound acl are checked against traffics coming from the wire and hiting the interface of the device on whitch the acl inbound is applied.

outbound acl are checked against traffics coming from elsewhere and crossing the router towards the wire out of the interface on whicth this acl outbound is applied.

for a pix there the concept of the security level of the interface.

interface with high security level can access automaticaly those of lower security.

interfaces with lower security level cannoit access autmaticaly those with higher security level unless there is a conduit configured to allow that.

HTH

do rate if it does help

Collin Clark · ‎01-05-2007

Imagine you are inside the PIX. If you want to control traffic from the inside network to the public network (ie outside), you would apply the access-list in the interface labeled inside. For example, you only want to allow www traffic from the inside to the internet.

access-list inside_access_out permit tcp any any eq 80

Then apply it to the proper interface, in the inbound direction. The inbound direction is the only direction available in ver 6.x and below. Starting with 7.x you can apply an ACL in or out, much like a router.

access-group inside_access_out in interface inside

The rules do not change with medium security interfaces. You still need to permit/deny access. One thing to remember is to go from a lower security interface to a higher one (ie outside to inside, outside to dmz, dmz to inside, maybe even dmz to dmz) you need NAT translations (ie statics).

HTH and please rate.

fncnet2005 · ‎01-23-2007

Okay,

For those of us that are slow of learning. If I have a host on the dmz (DMZhost) and I have a host on the inside (insidehost), if I want to have traffic to go from the DMZ to inside, do I apply an acl like so:

access-list dmz_access_inside permit tcp DMZ host insidehost eq 80

access-group dmz_access_inside in interface dmz

is that correct? or would it be

access-group dmz_access_inside out interface dmz

and if I want dmz hosts to access outside then is the acl

access-list dmz_access_out permit ip 10.10.10.0 255.255.255.0 any

access-group dmz_access_outside in interface dmz

Is this right?

Jon Marshall · ‎01-24-2007

Hi

From DMZ to inside

access-list dmz_access_inside permit tcp host DMZhost host insidehost eq 80

access-group dmz_access_in in interface dmz.

You also need to present the inside server to the DMZ. One way to do this

static (inside,dmz) insidehost insidehost netmask 255.255.255.255

To go from DMZ to outside.

if you don't have an access-list on your DMZ interface then traffic will be allowed out by default (unless your'e using the FWSM), because on the pix traffic is allowed to flow from a higher to a lower level security interface.

If you do have an access-list you would need to add a line for access such as the one you have added above.

If the outside is the Internet you would need to translate the 10.10.10.x addresses to publically routable addresses.

HTH