Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
3
Replies

Effect of access-lists on default open high to low access

Go to solution
mrrussell
Level 1
Level 1

‎11-02-2004 07:56 AM - edited ‎03-09-2019 09:18 AM

I'm setting up access-list rules on PIX525 (V6.3)with multiple DMZ's, but want to minimise the rules stated.

Scenario - 3 interfaces (inside (secuity100,middle security50,outside Security0)

To allow hosts on middle to reach inside I'm creating an access-list applied to middle interface. However will an implicit (or explicit) deny at the end of the access list prevent hosts on middle having the default open access to the lower security outside interface?

Thanks

Mick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Iseli
Level 7
Level 7

‎11-02-2004 08:14 AM

Security Level and Access-lists:

To grant access from lower to higher level you need an access-list and a static.

Equal to equal levels can not talk to each others.

Higher Security Level can talk to lower levels if there is no access-list on that interface and the NAT is configured correctly.

ACL's will add at the end a "deny ip any any" after a permit statement. So to come back to your question: If you permit a DMZ host to connect an inside host on a specific port than all other connections will be blocked. You need to specify all tarffic in that access-list otherwise they will be blocked.

The only exception is the established traffic that may comes from the other interface access-lists to the dmz, replies etc. For example you permit port 80 from the outside to a dmz host this traffic will not be checked again by the dmz access-list.

sincerely

Patrick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
tbissett
Level 1
Level 1

‎11-02-2004 08:03 AM

Yes, once you apply an access-list to an interface, the implicit allow from higher to lower is no longer allowed. Traffic has to match the rules in the access-list, or else it is dropped.

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7

‎11-02-2004 08:14 AM

Security Level and Access-lists:

To grant access from lower to higher level you need an access-list and a static.

Equal to equal levels can not talk to each others.

Higher Security Level can talk to lower levels if there is no access-list on that interface and the NAT is configured correctly.

ACL's will add at the end a "deny ip any any" after a permit statement. So to come back to your question: If you permit a DMZ host to connect an inside host on a specific port than all other connections will be blocked. You need to specify all tarffic in that access-list otherwise they will be blocked.

The only exception is the established traffic that may comes from the other interface access-lists to the dmz, replies etc. For example you permit port 80 from the outside to a dmz host this traffic will not be checked again by the dmz access-list.

sincerely

Patrick

0 Helpful

Go to solution
mrrussell
Level 1
Level 1
In response to Patrick Iseli

‎11-02-2004 10:30 PM

Patrick (and tbissett) thanks for prompt and clear replies. I suspected this was the case. PIX's with multiple DMZ's can therefore easily get long and complex config's.

Thanks

Mick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents