Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
5
Replies

PIX no DMZ access out

Go to solution
craigb
Level 1
Level 1

‎06-15-2005 08:36 AM - edited ‎02-21-2020 12:12 AM

I'm setting up a DMZ on a PIX 515e and everything seems to work fine except I can't get access from the servers in the DMZ to the internet. The only way I CAN get access is if I add a "permit ip any any" to the dmz access list. I only have allow statements in the dmz access list and no deny statements. Shouldn't the dmz allow all traffic to flow out because of it's security level?

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

I'll attach a sanatized config from my PIX. Hopefully it's a simple mistake that I'm missing.

Thanks,

CB

Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mostiguy
Level 6
Level 6
In response to craigb

‎06-16-2005 06:58 AM

Exactly! You need to think about how traffic flows through the pix - an ACL on a given int impacts all traffic through that int, regardless of destination. So an inside interface ACL can impact traffic that will go through the dmz and outside interfaces, as that traffic is going through it. A DMZ interface acl will likewise affect traffic through it to the inside or outside (or any other interfaces)

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mostiguy
Level 6
Level 6

‎06-15-2005 08:59 AM

Dude, you didn't show us the dmz_access_in list. To let http traffic into the pix DMZ interface from the DMZ hosts, you would need:

access-list dmz_access_in permit tcp 10.0.0.0 255.255.255.0 any eq 80

assuming that you were using 10.0.0.0/24 for ip addresses for your dmz hosts.

What DNS server are the dmz hosts using? If they are using one outside of your pix, you need:

access-list dmz_access_in permit udp 10.0.0.0 255.255.255.0 host outside.dns.ip.here eq 53

To allow those hosts outbound dns access to outside.dns.ip.here

0 Helpful

Go to solution
craigb
Level 1
Level 1
In response to mostiguy

‎06-15-2005 11:10 AM

I'm using the DNS servers that my ISP has for external name resolution for servers sitting in the DMZ. But should I have to set up a permit statement for that in the DMZ? I thought that any server sitting in the DMZ should be able to get to the internet by default. Just like any PC on the internal network and get to the DMZ and to the internet by default.

I do have access list statements allowing traffic in to the DMZ and then statments allowing from the DMZ to the internal network, and they work fine. Here is an example of each:

access-list outside_access_in permit tcp any host X.X.X.X eq smtp

access-list dmz_access_in permit tcp host Sec-Gateway host X.X.X.X eq 443

I can tell these are getting hits from a "show access-list" statement.

I just didn't think I needed any kind of statements allowing traffic from the DMZ out because the DMZ should be able to get out because of the security level. Do I have this wrong?

(Sorry for leaving out so much info, I just didn't want to broadcast what ports I have open to the world. I can't believe one guy actually put his entire config on here including the password hashes!)

CB

0 Helpful

Go to solution
mostiguy
Level 6
Level 6
In response to craigb

‎06-15-2005 11:51 AM

Everything is allowed from a higher security int to a lower security in UNTIL to apply an access list to that higher security int - by applying an ACL to the dmz int, this is what you have done. At the end of every ACL is an implicy deny all rule.

So, by default, the inside int can talk to the dmz and outside, and the dmz int can talk to the outside (assuming that NAT is set up properly). But if you apply an ACL to either int, that changes things.

So yes, you want statements to allow the DMZ hosts to access the ISP DNS servers, as well as what protocols they are allowed to use

0 Helpful

Go to solution
craigb
Level 1
Level 1
In response to mostiguy

‎06-16-2005 06:39 AM

I think I may be starting to understand what's going on here. If I'm sitting in the DMZ, and the inbound acl on that interface not only effects traffic going to the internal network, but also effects traffic trying to go to the outside interface. It makes since when I draw it out. Both sets of traffic are inbound in the DMZ interface.

I guess you could put an outbound ACL on the internal interface, allowing the DMZ traffic to flow to the internal LAN, then your DMZ would be able to send any traffic out. But then it's probably not a great idea to allow your DMZ to send out on all ports.

Thanks for the help!

0 Helpful

Go to solution
mostiguy
Level 6
Level 6
In response to craigb

‎06-16-2005 06:58 AM

Exactly! You need to think about how traffic flows through the pix - an ACL on a given int impacts all traffic through that int, regardless of destination. So an inside interface ACL can impact traffic that will go through the dmz and outside interfaces, as that traffic is going through it. A DMZ interface acl will likewise affect traffic through it to the inside or outside (or any other interfaces)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card