Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List on DMZ interface

Status
Not open for further replies.
quickconnect

quickconnect

IS-IT--Management
May 5, 2003
70
US
I am trying to create an access list on a newly created DMZ interface that was created on one of our Pix 515's

basically the Pix is used to isolate two internal networks.
We are using the DMZ to only manage the Pix via SSH & HTTP(PDM) and block all other access going in and out of that DMZ interface.

What should my access list look like if only 1.0.0.0 is allowed SSH & HTTP(PDM) access from the DMZ segment and everything else dropped. Also I dont want either of the 2 networks from the inside & outside interface to access anything in the DMZ

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security99
nameif ethernet3 intf3 security15


 
Sort by date Sort by votes
Wow does anyone read this forum anymore. No Pix experts can answer this?
 
Upvote 0 Downvote
Or you just posted it at a time with high volume so it got shoved off the page...

Either way...

access-list dmz_manage permit tcp 1.0.0.0 <subnet mask> any eq 22
access-list dmz_manage permit tcp 1.0.0.0 <subnet mask> any eq 443
access-list dmz_manage deny ip any any
access-group dmz_manage in interface dmz

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
as long as you are using standard ssh and https ports, you will be fine, unless you need to allow traffic into the dmz from the other interfaces..

also make sure that "access-group dmz_manage in interface dmz" that the interface "dmz" portion is replaced with whatever term you named the dmz interface.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
I think I should be Ok since I named the interface ethernet2 "DMZ"

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security99
nameif ethernet3 intf3 security15

Here is what the Access-List looks Like:
access-list dmz_manage permit tcp ConsumersSubnet 255.255.255.0 any eq ssh
access-list dmz_manage permit tcp ConsumersSubnet 255.255.255.0 any eq https
access-list dmz_manage deny ip any any

Here is the access gorup:
access-group dmz_manage in interface dmz

I first applied the access-list in config-t then
the access list go doing this
Config-t
interface ethernet2
then applied the access-group

 
Upvote 0 Downvote
that's fine.. it would work either way I guess.. because regardless of how you enter it, it is entered the same way into config.

And you should be fine then.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
988
Shmid
Shmid
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
305
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
290
mcisar
mcisar
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
252
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top