Re: Regarding inbound,outbound access

brajesh.kumar · ‎01-23-2004

Hi There

I have some doubts regarding access. I have tried to explain it clearly.

These statements are from cisco documentation(Using nat,global,conduit and .....).

"..By default, there are no access restrictions on outbound connections through the PIX. This means that if there is no ACL configured for the source interface, then, by default, the outbound connection will be allowed if there is a translation method configured."

Therefore for

1. inside(+) --->Outside(-) (Just configure nat,global command & A.C.L if any to inbound interface).

2. Inside(+) --->Dmz(-)

Is there a need of translation(As by statement)? Or by default it can access without translation.If translation,can Nat0 be used?

What will be the configuration?

Same About Dmz(+) --->Outside(-)?

"..In contrast to the nat and global commands which allow inside hosts out, the static command creates a two-way translation that allows inside hosts out and outside hosts in if the proper conduits are created or ACLs/groups added (PIX software version 5.0.1 or later)."

What is the meaning of "..inside hosts out and outside hosts in" for static command?

For Outside(-) ---> Dmz(+) (By static,access-list & applying it on outside interface).

Is the meaning of this statement is Dmz(+) ---> Outside(-)(reverse with same static ...?)

If this is the meaning then it is conflicting with above Dmz(+) --->Outside(-) ,which asks for translation?

For Dmz(-) ---> Inside(+)

Is this a only of configuration as told by gfullage?

For the mail server (or any host on the DMZ) to access the inside do the following:

static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0

access-list fromDMZ permit ip host 192.168.0.2 128.100.0.0 255.255.0.0

access-group fromDMZ in interface dmz

(where 128.100.*.* is for inside network and 192.168.*.* for dmz network)

Thanks in advance.

Brajesh.

bfl1 · ‎01-23-2004

First, to help you understand when/what/where/why you need translation/ACL's, you need to understand security levels on an interface.

By default, a "high" security number can access a lower security number without an ACL. Security of the inside interface is 100, DMZ is 50, and outside is 0. So from inside - > DMZ you need translation and no ACL (by default)... inside -> out you need translation and no ACL (by default)... DMZ -> outside you need translation and no ACL (by default)... DMZ -> inside you need translation and ACL... outside -> dmz you need translation and ACL... outside -> in you need translation and ACL.... I say default, because once you apply an ACL of any kind, there is an implicit deny all at the end of the ACL.

So inside configs:

nat(inside) 1 LocalIP LocalMask

global(outside) 1 GlobalIP GlobalMask

global(dmz) 1 GlobalIP GobalMask

DMZ Configs

nat(dmz) 1 LocalIP LocalMask

global(outside) 1 GlobalIP GlobalMask

global(inside) 1 ip used when going inside (This is reverse NAT)

outside configs

static(inside,outside) GlobalIP LocalIP

static(dmz,outside) GlobalIP LocalIP

So, when going from a higher security level to a lower, by default you only need address translation. When going from a lower security level to a higher security level, you need address translation and ACL's. I hope this helps.

brajesh.kumar · ‎01-28-2004

Thanks for your reply.

Just check for these configuration?

For Dmz(-) ---> Inside(+)

Is this a only of configuration as told by gfullage?

For the mail server (or any host on the DMZ) to access the inside do the following:

static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0

access-list fromDMZ permit ip host 192.168.0.2 128.100.0.0 255.255.0.0

access-group fromDMZ in interface dmz

(any other way except this?)

(where 128.100.*.* is for inside network and 192.168.*.* for dmz network)

For Inside(+) --> Dmz(-)

nat (inside) 1 128.100.0.0 255.255.0.0

global (dmz) 1 10.0.10.12(or any 192.168.8.8 address)

Thanks.

Brajesh