Skip to main content

bi-directional ACL same ports for outbound & inbound

More
17 years 10 months ago #19289 by zillah
I have got server in DMZ area with an ip address 192.168.101.202, I want this server to be accessible from outside world through these ports: 809 8400, 80 (for outbound and inbound traffics)

This is my configuration

static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0

What I did , is this (for inbounding traffic) :

access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200

Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200


access-group FROM_OUTSIDE_TO_DMZ in interface outside

If the outbound and inbound communicate on different posts then it is obvious we have to configure access-list in both directions, but does this apply to when outbound and inbound communicate on same posts

Note: fake public ip address
More
17 years 10 months ago #19293 by Smurf
Hi there,

Yes i do beleive you will have to do. This is simply because the TCP Stream will be monitored so the appliance will know whats going on between the traffic flows. If the connection is initiated through an ACL inbound, then the corresponding outbound traffic will then be allowed back out. If the connection is however initiated through an ACL outbound, then an ACL will need to be in place to allow it.

Hope it makes sense

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 10 months ago #19307 by zillah

Yes i do believe you will have to do.

Thanks for this insight.

First :I just want to clarify what I meant by the outbound and the inbound.

Outbound here I meant the traffic initiated from outside and is coming into DMZ's server through DMZ interface.

Inbound, I meant to say the replied traffic that initiated from the DMZ's server, which is going out through DMZ interface.

Second: Now if the initiated outside traffic (outbound) communicates with the DMZ's server through these ports: 80, 443, 8200, and the replied traffic (inbound ) from the DMZ's server communicates with the outside on the same ports (if it is on different ports, then yes we do need to have access lists in both direction).
Your answer was (as I understood, correct me if I am wrong) : Yes we do need to have an access-list in both directions, even we have got same communication ports for outbound and inbound traffic.
More
17 years 10 months ago #19311 by d_jabsd
You do not need outbound acls as long as your inbound acls allow the traffic. One thing to note with the pix is that any traffic that is allow to enter an interface destined to exit out another interface will be allowed to exit and return as long as the inbound acls permit it.

Eg: If you have an inbound acl on the outside interface allowing port 80 to the dmz, and an inbound acl on the dmz interface allowing port 80, you should have no problems.

When discussing inbound/outbound traffic flows in relation to the pix, you need to retrain your mind to think about the traffic in relation to the interfaces, as everything flowing through the pix is inbound on one interface and outbound on another interface.

I highly recommend not using outbound acls. Not saying it can't be done, but it rarely produces the result you expect on the first try and it is much more efficient to permit/deny traffic as it enters the pix instead of as its leaving the pix.
More
17 years 10 months ago #19316 by Smurf

I highly recommend not using outbound acls. Not saying it can't be done, but it rarely produces the result you expect on the first try and it is much more efficient to permit/deny traffic as it enters the pix instead of as its leaving the pix.


I agree, i only ever configure access-groups in, never out. Sorry i think i miss understood the initial question, i presumed as d_jabsd quite rightly said, that you were talking about the flow of traffic and not the access-groups in/out.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 10 months ago #19320 by zillah

When discussing inbound/outbound traffic flows in relation to the pix, you need to retrain your mind to think about the traffic in relation to the interfaces,

Yes, you are right , I have done mistake when I said outbound traffic (from outside to DMZ) , and inbound traffic (DMZ to outside), it should be be other way around (i.e inbound traffic that it is entering DMZ area through DMZ interface, and outbound traffic that is leaving DMZ area via DMZ interface).

Eg: If you have an inbound acl on the outside interface allowing port 80 to the dmz, and an inbound acl on the dmz interface allowing port 80, you should have no problems.

Isn't this similar to my configuration ? I do not feel that i understood this properly ?


Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200

Don't you think the format of my ACLs are wrong ? because here for PIX, both ip addresses are the same since we are translating (i.e. static (dmz, outside) 80.80.10.2 192.168.101.202,,,,,, )
Time to create page: 0.207 seconds