cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
3
Replies

DMZ to Inside

greyhame
Level 1
Level 1

This question relates to Pix Version 6.3(3) on a 515E with three interfaces. My apologies if this topic is covered well elsewhere, I have had no luck finding it.

I have configured three interfaces in a basic outside, inside, dmz mode, with routable IP addresses, and no need or desire to use NAT. No matter how I go about approaching the problem, if I try and configure rules to allow DMZ hosts access to specific services on the Inside segment, the implicit outbound rule for the DMZ gets overwritten, and all other outbound traffic from the DMZ gets dropped. If I try and overcome that with a permit ip any any ACL for DMZ to outside, it allows all traffic from the DMZ to the Inside - rather defeating the purpose of separating these segments.

I have tried coming at the Pix from different angles, and without making eye contact, but no matter how I go about it, I can not seem to create rules to allow certain DMZ -> Inside traffic without blowing away DMZ -> Outside communications.

Am I missing something fundamental here? Any help will be most appreciated.

Graham

1 Accepted Solution

Accepted Solutions

harishtandon23
Level 1
Level 1

Hello Greyhame,

I understood the problem. you want to permit certain host on the dmz to access the inside servers and at the same time you want to permit everything on the dmz to access outside but not to access inside except the specific host. it is possible. let me give you an example configuration rules that you can change as per your ip addressing.

lets take and example that the inside network is on 192.168.1.0 subnet and dmz on 172.16.1.0 and outside as 63.97.45.0

We have inside server with ip address 192.168.1.10 that need to be access from the dmz host 172.16.1.5

Here is the access-list command that you need to apply on dmz interface so that you can access inside server 192.198.1.10 from dmz host 172.16.1.5 and you want to allow 172.16.1.0 to access the internet but no one else except 172.16.1.5 to be able to access inside subnet.

Please try the following command:

access-list dmz_in permit tcp host 172.16.1.5 host 192.168.1.10 eq www

access-list dmz_in deny ip any 192.168.1.0

access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

If you see the first access-list, it would allow the dmz host to access the inside server. The second command would deny everything else from dmz to access the inside network except the one mentioned above, as access-list is read from top to bottom and then enforced. The third command would allow only the dmz traffic to go to the outside.

If you have any questions, please feel free to contact me.

Thanks & Regards,

Harish Tandon

harishtandon23@gmail.com

View solution in original post

3 Replies 3

harishtandon23
Level 1
Level 1

Hello Greyhame,

I understood the problem. you want to permit certain host on the dmz to access the inside servers and at the same time you want to permit everything on the dmz to access outside but not to access inside except the specific host. it is possible. let me give you an example configuration rules that you can change as per your ip addressing.

lets take and example that the inside network is on 192.168.1.0 subnet and dmz on 172.16.1.0 and outside as 63.97.45.0

We have inside server with ip address 192.168.1.10 that need to be access from the dmz host 172.16.1.5

Here is the access-list command that you need to apply on dmz interface so that you can access inside server 192.198.1.10 from dmz host 172.16.1.5 and you want to allow 172.16.1.0 to access the internet but no one else except 172.16.1.5 to be able to access inside subnet.

Please try the following command:

access-list dmz_in permit tcp host 172.16.1.5 host 192.168.1.10 eq www

access-list dmz_in deny ip any 192.168.1.0

access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

If you see the first access-list, it would allow the dmz host to access the inside server. The second command would deny everything else from dmz to access the inside network except the one mentioned above, as access-list is read from top to bottom and then enforced. The third command would allow only the dmz traffic to go to the outside.

If you have any questions, please feel free to contact me.

Thanks & Regards,

Harish Tandon

harishtandon23@gmail.com

That makes perfect sense, thanks. There be the forest I wasn't seeing for the trees, not sure how I missed that approach. Thanks again.

Graham

jsteffensen
Level 1
Level 1

Hi Graham.

It is a known issue. - Which is possible to solve with a slight difference on your config.

1. Permit the spcified wanted traffic from dmz to the internal server.

2. Deny traffic from dmz to internal networks

3. Permit traffic from dmz to outside

Accesslist are worked through top -> botto,

Hope this Helps

Jarle Steffensen