I was looking at my PIX config and realized I dont need to open up the ports on the DMZ interface which ,i was doing(thank god for test networks), but rather palce those access-lists (using access-group) on the inside interface.

So the syntax is:

access-list outside_inside permit tcp host (dmz IP address) host (internal DC or SQL IP) eq (port number)

Could you explain the static syntax you have written? I looks like it is a static to the same IP, should it be:

static (inside,dmz) 10.10.0.2 192.168.06 netmask 255.255.255.255 0 0

I assume from what I have learned this will just allow the static route bewteen the DMZ host and the internal DC or SQL host, so I would need a static for each internal host (one for DC and one for SQL server).

I am I still on the right path? Thanks for your help.

Cheers,

Marc

Hello Mark,

A static statement will not route traffic.

IP address of host must be advertise using a static statement to permit traffic from a LOWER interface security to a HIGHER one. By default on pix inside intf security is 100, and outside intf sec is 0. You can set dmz sec parameter in the range 1-99. Also using a routable ip on lower intf is required.

I'm not sure what you wanna do but here's a generic explanation to permit traffic from outside ip host 2.2.2.2 to inside host 1.1.1.1:

1) Advertise your inside host: use a outside routable ip address:

Static (inside, outside) 1.1.1.1 2.1.1.1 netmask ...

2)Permit traffic using the ADVERTISED IP:

Access-list outside_access permit tcp host 2.2.2.2 host 2.1.1.1 eq tcp/port

3)Bind outside access-list's on the outside intf:

Access-group outside_access in interface outside

Should do the trick.

You must use a static statement for each inside hosts on witch you want to permit traffic.

Try 'show xlate' and 'clear xlate' (use w/ precaution) commands to debug.

Mike

Mike,

Thanks for the insight!

I improperly used 'route' when refering to static, but you got what i was refering to.

If I am allowing traffic from a DMZ to inside intf then I would create and bind access-lists to the DMZ interface or the inside interface? It seems it would be to the inside intf(to allow the SQL server calls from a DMZ host to pass through the higher security intf). Or do I have it backwards? For some reason this was easier when I was only dealing with two intfs not three. And just to make sure--- you can only bind one access-list to an interface correct?

Thanks again.

Cheers,

Marc

Hi Marc,

If the initiator of a connection is in dmz, you must apply an access-list on dmz intf. There is no need to add reflexive access-list on the inside intf to permit the traffic to come back from inside host to dmz host. The pix maintains a connection table between hosts and all securty inspection of packet is done by the pix.

You may add as many access-list's as you need and bind all of them to one interface. You may only have one group of acl for each interface. When you'll get familiar w/ pix, you wont make any difference dealing w/ 2, 3...6 interfaces per pixes. You just need a little time for learning and experiencing.

Mike

Mike,

Thanks for the clarification. After reading your post I sat down and really thought about it, I realized the DMZ intf is nothing more then another outside intf and the same theories apply to any intf face that isn't the inside intf. Thanks again for that explanation.

Cheers,

Marc