Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 506 DMZ access help 1

Status
Not open for further replies.
dbotts

dbotts

MIS
Joined
Nov 16, 2004
Messages
6
Location
US
Hey all,

We recently went from a Pix 501 to a Pix 506, so we could get a 3rd interface for a DMZ. But our goal evolved a bit, and what I want to do is use the DMZ to isolate the users from our servers, opening up the only the necessary ports. So the users are on the DMZ interface, using a subnet of 192.168.200.0/24. The servers are on the inside interface, using a subnet of 192.168.50.0/24.

If you look at my access-list for the dmz_access_in, I currently have a rule: access-list dmz_access_in permit ip any any, followed by specific rules for allowing access to the servers on the inside interface. If I take the "any any" rule away, I can still access the servers on the inside, but any traffic going outside is being denied. Not sure why this is, since the DMZ has a higher security level than outside. So, can anyone let me know how I can restrict the DMZ access to the inside, but allowing (for now) all traffic from the DMZ to the outside?



Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password BGiLZlpJoXP9jkXB encrypted
passwd BGiLZlpJoXP9jkXB encrypted
hostname fw1
domain-name acme.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.50.230 www
name 192.168.50.218 businesswire
name 192.168.50.217 acmenews1
name 192.168.50.214 ipsmail
name 192.168.50.212 ipspublic
name 192.168.50.210 acmens
name 192.168.50.221 ipsftp
name 192.168.50.231 name 192.168.50.235 noticias
name 192.168.50.233 ftp.acme.com
name 192.168.50.237 name 192.168.50.236 image
name 192.168.50.243 newsexpress
name 192.168.50.238 name 192.168.50.247 thedirectory.com
name 192.168.50.249 ftp.generic.com
name 192.168.50.131 acmecentral
name 192.168.50.144 acmecia
name 192.168.50.252 devweb1
name 12.223.???.??? Joe
name 68.1.???.??? db-home
name 192.168.50.242 ipstest
name 192.168.50.232 name 192.168.50.244 tob.ipsacme.com
name 192.168.50.234 dev.acme.com
name 192.168.50.241 acmeworldupdate
name 192.168.50.251 PhoneSwitch
name 192.168.200.132 dc1
name 198.6.100.25 MCI_DNS2
name 198.6.100.53 MCI_DNS1
name 192.168.50.203 IPSCopier
name 192.168.200.140 ipsboston
name 192.168.200.219 vpn-ipsboston
name 192.168.200.70 Joe_Pierce_VPN
name 192.168.50.245 webreports
name 192.168.50.200 dbotts-inside
object-group service WebNotes tcp
port-object eq lotusnotes
port-object eq www
object-group service DNS tcp-udp
port-object eq domain
object-group service Netbios tcp-udp
port-object range 137 139
port-object range 135 135
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host ???.???.200.131 eq www
access-list outside_access_in permit tcp any host ???.???.200.131 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.144 eq www
access-list outside_access_in permit tcp any host ???.???.200.144 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.144 eq https
access-list outside_access_in permit tcp any host ???.???.200.210 eq ftp
access-list outside_access_in permit tcp any host ???.???.200.210 eq www
access-list outside_access_in permit tcp any host ???.???.200.210 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.212 eq www
access-list outside_access_in permit tcp any host ???.???.200.212 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.214 eq pop3
access-list outside_access_in permit tcp any host ???.???.200.214 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.217 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.221 eq ftp
access-list outside_access_in permit tcp any host ???.???.200.230 eq www
access-list outside_access_in permit tcp any host ???.???.200.230 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.231 eq www
access-list outside_access_in permit tcp any host ???.???.200.232 eq ftp
access-list outside_access_in permit tcp any host ???.???.200.232 eq ssh
access-list outside_access_in permit tcp any host ???.???.200.232 eq www
access-list outside_access_in permit tcp any host ???.???.200.233 eq ftp
access-list outside_access_in permit tcp any host ???.???.200.235 eq www
access-list outside_access_in permit tcp any host ???.???.200.236 eq www
access-list outside_access_in permit tcp any host ???.???.200.237 eq ftp
access-list outside_access_in permit tcp any host ???.???.200.237 eq www
access-list outside_access_in permit tcp any host ???.???.200.238 eq www
access-list outside_access_in permit tcp any host ???.???.200.241 eq www
access-list outside_access_in permit tcp any host ???.???.200.241 eq lotusnotes
access-list outside_access_in permit tcp any host ???.???.200.242 eq ssh
access-list outside_access_in permit tcp any host ???.???.200.242 eq www
access-list outside_access_in permit tcp any host ???.???.200.243 eq www
access-list outside_access_in permit tcp any host ???.???.200.244 eq ssh
access-list outside_access_in permit tcp any host ???.???.200.244 eq www
access-list outside_access_in permit tcp any host ???.???.200.247 eq www
access-list outside_access_in permit tcp any host ???.???.200.249 eq ftp
access-list outside_access_in permit tcp any host ???.???.200.252 eq www
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any host ???.???.200.219 eq pptp
access-list outside_access_in permit gre any host ???.???.200.219
access-list outside_access_in permit tcp any host ???.???.200.132 object-group DNS
access-list outside_access_in permit udp any host ???.???.200.132 object-group DNS
access-list dmz_access_in permit ip any any
access-list dmz_access_in permit tcp any host acmens object-group WebNotes
access-list dmz_access_in permit tcp any host WebNotes
access-list dmz_access_in permit tcp any host acmecentral object-group WebNotes
access-list dmz_access_in permit tcp any host acmecia object-group WebNotes
access-list dmz_access_in permit tcp any host acmecia eq https
access-list dmz_access_in permit tcp any host ipspublic object-group WebNotes
access-list dmz_access_in permit tcp any host ipspublic eq ftp
access-list dmz_access_in permit tcp any host ipsmail eq lotusnotes
access-list dmz_access_in permit tcp any host acmenews1 eq lotusnotes
access-list dmz_access_in permit tcp any host eq www
access-list dmz_access_in permit tcp any host eq www
access-list dmz_access_in permit tcp any host ftp.acme.com eq ftp
access-list dmz_access_in permit tcp any host dev.acme.com object-group WebNotes
access-list dmz_access_in permit tcp any host noticias eq www
access-list dmz_access_in permit tcp any host image eq www
access-list dmz_access_in permit tcp any host eq www
access-list dmz_access_in permit tcp any host eq www
access-list dmz_access_in permit tcp any host acmeworldupdate eq www
access-list dmz_access_in permit tcp any host ipstest object-group WebNotes
access-list dmz_access_in permit tcp any host businesswire eq www
access-list dmz_access_in permit tcp any host webreports eq www
access-list dmz_access_in permit tcp any host acmedirectory.com eq www
access-list dmz_access_in permit tcp any host ftp.generic.com eq ftp
access-list dmz_access_in permit tcp any host PhoneSwitch eq www
access-list dmz_access_in permit tcp any any object-group DNS
access-list dmz_access_in permit udp any any object-group DNS
pager lines 24
logging on
logging timestamp
logging host inside 192.168.50.160
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ???.???.200.130 255.255.255.128
ip address inside 192.168.50.1 255.255.255.0
ip address dmz 192.168.200.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPSIT 192.168.50.80-192.168.50.90
pdm location inside
pdm location acmens 255.255.255.255 inside
pdm location ipspublic 255.255.255.255 inside
pdm location ipsmail 255.255.255.255 inside
pdm location acmenews1 255.255.255.255 inside
pdm location businesswire 255.255.255.255 inside
pdm location ipsftp 255.255.255.255 inside
pdm location 255.255.255.255 inside
pdm location ftp.acme.com 255.255.255.255 inside
pdm location noticias 255.255.255.255 inside
pdm location image 255.255.255.255 inside
pdm location 255.255.255.255 inside
pdm location 255.255.255.255 inside
pdm location acmeworldupdate 255.255.255.255 inside
pdm location newsexpress 255.255.255.255 inside
pdm location acmedirectory.com 255.255.255.255 inside
pdm location ftp.generic.com 255.255.255.255 inside
pdm location acmecentral 255.255.255.255 inside
pdm location acmecia 255.255.255.255 inside
pdm location devweb1 255.255.255.255 inside
pdm location Joe 255.255.255.255 outside
pdm location db-home 255.255.255.255 outside
pdm location ipstest 255.255.255.255 inside
pdm location 255.255.255.255 inside
pdm location tob.ipsacme.com 255.255.255.255 inside
pdm location dev.acme.com 255.255.255.255 inside
pdm location PhoneSwitch 255.255.255.255 inside
pdm location dc1 255.255.255.255 dmz
pdm location MCI_DNS2 255.255.255.255 outside
pdm location MCI_DNS1 255.255.255.255 outside
pdm location IPSCopier 255.255.255.255 inside
pdm location ipsboston 255.255.255.255 dmz
pdm location vpn-ipsboston 255.255.255.255 dmz
pdm location 172.30.10.0 255.255.255.0 inside
pdm location 172.30.10.0 255.255.255.0 dmz
pdm location 172.30.0.0 255.255.0.0 dmz
pdm location Joe_VPN 255.255.255.255 dmz
pdm location webreports 255.255.255.255 inside
pdm location db-inside 255.255.255.255 inside
pdm location 192.168.50.160 255.255.255.255 inside
pdm logging notifications 200
pdm history enable
arp timeout 14400
global (outside) 1 ???.???.200.151-???.???.200.199
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ???.???.200.230 255.255.255.255 0 0
static (inside,dmz) acmens acmens netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.210 acmens netmask 255.255.255.255 0 0
static (inside,dmz) ipspublic ipspublic netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.212 ipspublic netmask 255.255.255.255 0 0
static (inside,dmz) ipsmail ipsmail netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.214 ipsmail netmask 255.255.255.255 0 0
static (inside,dmz) acmenews1 acmenews1 netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.217 acmenews1 netmask 255.255.255.255 0 0
static (inside,dmz) businesswire businesswire netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.218 businesswire netmask 255.255.255.255 0 0
static (inside,dmz) ipsftp ipsftp netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.221 ipsftp netmask 255.255.255.255 0 0
static (inside,dmz) netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.231 netmask 255.255.255.255 0 0
static (inside,dmz) ftp.acme.com ftp.acme.com netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.233 ftp.acme.com netmask 255.255.255.255 0 0
static (inside,dmz) noticias noticias netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.235 noticias netmask 255.255.255.255 0 0
static (inside,dmz) image image netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.236 image netmask 255.255.255.255 0 0
static (inside,dmz) netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.237 netmask 255.255.255.255 0 0
static (inside,dmz) netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.238 netmask 255.255.255.255 0 0
static (inside,dmz) acmeworldupdate acmeworldupdate netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.241 acmeworldupdate netmask 255.255.255.255 0 0
static (inside,dmz) newsexpress newsexpress netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.243 newsexpress netmask 255.255.255.255 0 0
static (inside,dmz) acmedirectory.com acmedirectory.com netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.247 acmedirectory.com netmask 255.255.255.255 0 0
static (inside,dmz) ftp.generic.com ftp.generic.com netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.249 ftp.generic.com netmask 255.255.255.255 0 0
static (inside,dmz) acmecentral acmecentral netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.131 acmecentral netmask 255.255.255.255 0 0
static (inside,dmz) acmecia acmecia netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.144 acmecia netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.252 devweb1 netmask 255.255.255.255 0 0
static (inside,dmz) netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.242 ipstest netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.232 netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.244 tob.ipsacme.com netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.234 dev.acme.com netmask 255.255.255.255 0 0
static (inside,outside) PhoneSwitch PhoneSwitch netmask 255.255.255.255 0 0
static (dmz,outside) ???.???.200.132 dc1 netmask 255.255.255.255 0 0
static (dmz,outside) ???.???.200.140 ipsboston netmask 255.255.255.255 0 0
static (dmz,outside) ???.???.200.219 vpn-ipsboston netmask 255.255.255.255 0 0
static (inside,outside) ???.???.200.200 db-inside netmask 255.255.255.255 0 0
static (dmz,outside) Joe_VPN Joe_VPN netmask 255.255.255.255 0 0
static (inside,dmz) tob.ipsacme.com tob.ipsacme.com netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 0 0
static (inside,outside) ???.???.200.245 webreports netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 ???.???.200.129 1
route dmz 172.30.0.0 255.255.0.0 192.168.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (dmz) host dc1 timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS (dmz) host dc1 redsox timeout 5
aaa-server LOCAL protocol local
http server enable
http 192.168.50.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.50.160 /pix
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.50.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 dmz
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local IPSIT
vpdn group PPTP-VPDN-GROUP client configuration dns dc1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username ????? password *********
vpdn enable outside
dhcpd address db-inside-192.168.50.202 inside
dhcpd dns dc1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain acme.com
dhcpd enable inside
username ??????? password ??????????????? encrypted privilege 5
terminal width 80
Cryptochecksum:9e2d557c8124a9488bb1df306f20a3cd
: end
[OK]
 
Sort by date Sort by votes
With no access list applied to the interface the default is to permit all. Then the interface security rules apply, traffic is allowed from higher to lower security levels and denied from lower to higher unless specifically allowed.

So without any list your DMZ can access the outside interface (the internet), but not the inside (servers). Once you apply the access list to the DMZ interface you deny all traffic unless explicitly permitted. So you need to permit access to the outside world.

Solution:

modify the access list

permit all traffic that you want to the servers like you have now
then
deny ip any 192.168.50.1 255.255.255.0
permit ip any any

You can (and probably should) also further modify the permit ip any any statement to only allow the specific traffic you want your users to have access to, like just http and ftp, denying SMTP so no rougue worm SMTP engine can start sending out messages etc, but that security policy is yours to set.
 
Upvote 0 Downvote
Thanks 308win.

I actually had to deny ip any 192.168.50.0 255.255.255.0 (instead of 1).

Thanks again!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
tklamb
  • Locked
  • Question Question
ACL help
Replies
0
Views
308
tklamb
tklamb
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
PauS0n
  • Locked
  • Question Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
447
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top