11-13-2003 01:18 AM - edited 02-20-2020 09:23 PM
now i am consolidating the network security,but with a question:
because defaultly the pix firewall permit any protocol from inside to outside,but with a IDQ exploit i can establish a reverse connection with the inside area server,now i should configure some policy limiting protocol from inside to outside,what can i do? how ?
the inside area there is no pc,only some application server,db server the configuration as fallow:
access-list inbound permit icmp any any
access-list inbound permit tcp any host 172.16.25.134 eq www
access-list inbound permit tcp any host 172.16.25.134 eq ftp
access-list inbound permit tcp any host 172.16.25.150 eq www
access-list inbound permit tcp any host 172.16.25.151 eq www
access-list inbound permit tcp any host 172.16.25.152 eq www
access-list inbound permit tcp any host 172.16.25.153 eq www
access-list inbound permit tcp any host 172.16.25.1 eq 9001
access-list inbound permit tcp any host 172.16.25.1 eq 8001
access-list inbound permit tcp any host 172.16.25.2 eq 9001
access-list inbound permit tcp any host 172.16.25.2 eq 8001
access-list inbound permit tcp any host 172.16.25.3 eq 8001
access-list inbound permit tcp any host 172.16.17.170 eq 1888
access-list inbound permit tcp any host 172.16.17.171 eq 1888
access-list inbound permit udp any host 172.16.17.170 eq 1999
access-list inbound permit udp any host 172.16.17.171 eq 1999
access-list inbound permit tcp any host 172.16.17.170 eq 1889
access-list inbound permit tcp any host 172.16.17.171 eq 1889
access-list inbound permit udp any host 172.16.17.201 eq syslog
access-list inbound permit udp any host 172.16.17.200 eq syslog
access-list inbound permit udp any host 172.16.17.201 eq snmptrap
access-list inbound permit udp any host 172.16.17.200 eq snmptrap
access-list inbound permit tcp any host 172.16.17.201 eq 42340
access-list inbound permit tcp any host 172.16.17.201 eq 42341
access-list inbound permit tcp any host 172.16.17.201 eq 42343
access-list inbound permit udp any host 172.16.17.201 eq 42342
access-list inbound permit tcp any host 172.16.25.129 eq www
11-13-2003 06:33 PM
Is this your actual ACL configuration with public IP's?
11-16-2003 01:38 AM
The access-list you stated above looks like from outside to inside!!! correct? Now if you want to limit from inside to outside, you will have to sort of reverse the above access-list statements.
For example, you said that all your servers are located in the inside. Let's take the example of an FTP server. You expect from that server only to answer to a request on a port 80 or 443, correct?
so an inside to outside access-list would be,
"access-list outbound permit tcp host 172.16.25.150 eq www any"
This avoids traffic from being initiatd from inside, unless it "conforms" to some rules.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide