block hosts from inside to dmz ....

[spillo3000]

block hosts from inside to dmz net...

this is my pix configuration

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ddcdcde encrypted
passwd 2ddrdrefrefrefre encrypted
hostname pluto
domain-name pippo
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
access-list dmz-in permit icmp any any
access-list dmz-in permit tcp any any
access-list dmz-in permit udp any any
access-list dmz-in permit ip any any
pager lines 24
logging on
logging trap debugging
logging host dmz dmz-host
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside a.b.d.10 255.255.255.252
ip address inside a.b.c.1 255.255.255.0
ip address dmz a.b.e.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 0 a.b.c.0 255.255.255.0 0 0
static (inside,dmz) a.b.c.0 a.b.c.0 netmask 255.255.255.0 0 0
access-group dmz-in in interface dmz
conduit permit icmp any any
conduit permit tcp a.b.c.0 255.255.255.0 range 0 65535 a.b.d.8 255.255.2
55.252
conduit permit udp a.b.c.0 255.255.255.0 range 0 65535 a.b.d.8 255.255.2
55.252
route outside 0.0.0.0 0.0.0.0 a.b.d.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:fdvvcdfrfrff



how i can block hosts from inside network to connect on dmz...?
1)i must remove the actual access-list :
access-list dmz-in permit tcp any any
access-list dmz-in permit udp any any
access-list dmz-in permit ip any any

2)and i must add an access-list :
for example...to connect on a fileserver
access-list dmz-in permit tcp host a.b.c.40 eq 139 host a.b.e.3
access-list dmz-in permit tcp host a.b.c.40 eq 445 host a.b.e.3
access-list dmz-in permit udp host a.b.c.40 eq 137 host a.b.e.3
access-list dmz-in permit udp host a.b.c.40 eq 138 host a.b.e.3

in this situation the host on dmz can't connect to inside hosts ?
and then i must create another access list for these hosts....from dmz to inside...?

please help me...

 

[lgarner]

That's one way, blocking the return traffic. Your source & destination networks are reversed, though.

If you really want to prevent inside hosts from accessing the DMZ, put the ACL on the inside interface. Pix supports only inbound, not outbound ACLs.

access-list inside-in permit tcp host a.b.c.40 host a.b.e.3 eq 139
... etc...
access-list inside-in deny tcp any a.b.e.0 255.255.255.0
access-list inside-in permit tcp any any
access-group inside-in in interface inside

 

[spillo3000]

that acl's must be put at the end of the list .... in other word, if i add other hosts from inside net to pass through pix (in dmz) at the end of acl's i must re-put....
access-list inside-in deny tcp any a.b.e.0 255.255.255.0
access-list inside-in permit tcp any any
access-group inside-in in interface inside
....or i can add at end of list other acl's for hosts with no problem...?!!!

 

[lgarner]

You must put the ACL entries in order. They are evaluated in the order that they appear, and the first one to match the packet (either deny or permit), is the only one that is used. They're not evaluated further.

So, this list:
... permit ip any any
... deny ip host x.x.x.x host x.x.x.x

would do nothing since the "deny" statement would never be used. If you suspect a problem like this you can use "show access-list <aclname>" and you'll see the hit count for each rule.

 

[spillo3000]

can i apply two acl's on the inside interface ?
....
the first....
...access-list inside-in-ip permit ip any any
... deny ip host x.x.x.x host x.x.x.x
.etc..

the second...
access-list inside-in-tcp permit tcp host a.b.c.40 hosta.b.e.3 eq 139

... etc...
access-list inside-in-tcp deny tcp any a.b.e.0 255.255.255.0
access-list inside-in-tcp permit tcp any any
access-group inside-in-tcp in interface inside


for apply an high security

 

[martinp05]

hello,

you only can bind one access-group to one interface.
but a access-group can handle several access-lists (as much as you want).

so you can establish different rules to one access-group. this group can be applied to one interface...

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator