Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

dmz access-list issue 2

Status
Not open for further replies.
DV37201

DV37201

MIS
Dec 21, 2001
19
0
0
US
I've got a 525 with 3 interfaces and all works fine until I apply an access list (access-list dmz permit tcp host 10.10.20.10 host 192.168.1.39 eq smtp) to the dmz interface to allow a mail server to hit the inside. After I apply this access-list, dmz hosts can no longer access the outside. If I remove the list, dmz hosts can access the outside, but the dmz mail server can obviously no longer hit the inside. I apologize as I imagine this has been covered, but I couldn't find this situation in previous posts.

Thanks
 
Sort by date Sort by votes
You need to allow access from the DMZ to the outside:
"access-list dmz permit ip any any" would open it back up fully. That could also allow more access to the inside, which might be mitigated by limiting the static nats (inside,dmz). You could also add acl entries to deny access, placing them before the permit:
"access-list dmz deny ip any 192.168.1.0 255.255.255.0"

Here's why this happens: Pix will, by default, allow all traffic from higher security levels (dmz) to lower ones (outside), and replies to established connections can come back in. Once an ACL is applied to an interface, all this goes out the window. The ACL takes over. Plus, all ACLS have an implicit "deny ip any any" at the end. So, with your single ACL entry to permit some traffic, you have blocked everything *but* that traffic. Hope this makes sense.
 
Upvote 0 Downvote
Thanks for the answer and especially for the explanation. I assume I would place my permit line for the SMTP 1st, then the deny line you suggested, and finally the permit ip any any line? I am also assuming this will open up the DMZ to all traffic?

The reason this was confusing to me is that I have an extensive ACL applied to the outside interface, and it still allows all inside traffic to get out using the rule you mentioned about replying to established connections. Any info on why it is different with acls on the outside interface and acls on the dmz interface would be appreciated.

Thanks again
 
Upvote 0 Downvote
Yes, make sure that your rules are in order. They're evaluated top-down, and the first one which applies to the packet received is the one that's used. If the ACL lines are in the order that you indicated, then yes- the DMZ could fully access the Internet. The deny statement would prevent it from accessing the inside.

On the Pix, ACL's are applied only to the inbound interface. An ACL on the outside interface won't affect outbound traffic, only incoming. When you had no ACL on the DMZ, it worked just like the inside i/f. When the ACL is applied to the source i/f, all traffic must be evaluated and pass that before it's allowed into the Pix for routing.
 
Upvote 0 Downvote
Thanks, this makes sense now. Once again I appreciate the explanation as it is much more valuable than just an answer. I applied the suggested acl and everything works fine.

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri
Jimbo2015
  • Locked
  • Question
Avaya - Watch guard issue with keep alives
Replies
1
Views
54
hairlessupportmonkey
hairlessupportmonkey
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
49
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top