11-02-2004 07:56 AM - edited 03-09-2019 09:18 AM
I'm setting up access-list rules on PIX525 (V6.3)with multiple DMZ's, but want to minimise the rules stated.
Scenario - 3 interfaces (inside (secuity100,middle security50,outside Security0)
To allow hosts on middle to reach inside I'm creating an access-list applied to middle interface. However will an implicit (or explicit) deny at the end of the access list prevent hosts on middle having the default open access to the lower security outside interface?
Thanks
Mick
Solved! Go to Solution.
11-02-2004 08:14 AM
Security Level and Access-lists:
To grant access from lower to higher level you need an access-list and a static.
Equal to equal levels can not talk to each others.
Higher Security Level can talk to lower levels if there is no access-list on that interface and the NAT is configured correctly.
ACL's will add at the end a "deny ip any any" after a permit statement. So to come back to your question: If you permit a DMZ host to connect an inside host on a specific port than all other connections will be blocked. You need to specify all tarffic in that access-list otherwise they will be blocked.
The only exception is the established traffic that may comes from the other interface access-lists to the dmz, replies etc. For example you permit port 80 from the outside to a dmz host this traffic will not be checked again by the dmz access-list.
sincerely
Patrick
11-02-2004 08:03 AM
Yes, once you apply an access-list to an interface, the implicit allow from higher to lower is no longer allowed. Traffic has to match the rules in the access-list, or else it is dropped.
11-02-2004 08:14 AM
Security Level and Access-lists:
To grant access from lower to higher level you need an access-list and a static.
Equal to equal levels can not talk to each others.
Higher Security Level can talk to lower levels if there is no access-list on that interface and the NAT is configured correctly.
ACL's will add at the end a "deny ip any any" after a permit statement. So to come back to your question: If you permit a DMZ host to connect an inside host on a specific port than all other connections will be blocked. You need to specify all tarffic in that access-list otherwise they will be blocked.
The only exception is the established traffic that may comes from the other interface access-lists to the dmz, replies etc. For example you permit port 80 from the outside to a dmz host this traffic will not be checked again by the dmz access-list.
sincerely
Patrick
11-02-2004 10:30 PM
Patrick (and tbissett) thanks for prompt and clear replies. I suspected this was the case. PIX's with multiple DMZ's can therefore easily get long and complex config's.
Thanks
Mick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide