- Posts: 80
- Thank you received: 0
bi-directional ACL same ports for outbound & inbound
This is my configuration
static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0
What I did , is this (for inbounding traffic) :
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200
Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200
access-group FROM_OUTSIDE_TO_DMZ in interface outside
If the outbound and inbound communicate on different posts then it is obvious we have to configure access-list in both directions, but does this apply to when outbound and inbound communicate on same posts
Note: fake public ip address
Yes i do beleive you will have to do. This is simply because the TCP Stream will be monitored so the appliance will know whats going on between the traffic flows. If the connection is initiated through an ACL inbound, then the corresponding outbound traffic will then be allowed back out. If the connection is however initiated through an ACL outbound, then an ACL will need to be in place to allow it.
Hope it makes sense
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Thanks for this insight.Yes i do believe you will have to do.
First :I just want to clarify what I meant by the outbound and the inbound.
Outbound here I meant the traffic initiated from outside and is coming into DMZ's server through DMZ interface.
Inbound, I meant to say the replied traffic that initiated from the DMZ's server, which is going out through DMZ interface.
Second: Now if the initiated outside traffic (outbound) communicates with the DMZ's server through these ports: 80, 443, 8200, and the replied traffic (inbound ) from the DMZ's server communicates with the outside on the same ports (if it is on different ports, then yes we do need to have access lists in both direction).
Your answer was (as I understood, correct me if I am wrong) : Yes we do need to have an access-list in both directions, even we have got same communication ports for outbound and inbound traffic.
Eg: If you have an inbound acl on the outside interface allowing port 80 to the dmz, and an inbound acl on the dmz interface allowing port 80, you should have no problems.
When discussing inbound/outbound traffic flows in relation to the pix, you need to retrain your mind to think about the traffic in relation to the interfaces, as everything flowing through the pix is inbound on one interface and outbound on another interface.
I highly recommend not using outbound acls. Not saying it can't be done, but it rarely produces the result you expect on the first try and it is much more efficient to permit/deny traffic as it enters the pix instead of as its leaving the pix.
I highly recommend not using outbound acls. Not saying it can't be done, but it rarely produces the result you expect on the first try and it is much more efficient to permit/deny traffic as it enters the pix instead of as its leaving the pix.
I agree, i only ever configure access-groups in, never out. Sorry i think i miss understood the initial question, i presumed as d_jabsd quite rightly said, that you were talking about the flow of traffic and not the access-groups in/out.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Yes, you are right , I have done mistake when I said outbound traffic (from outside to DMZ) , and inbound traffic (DMZ to outside), it should be be other way around (i.e inbound traffic that it is entering DMZ area through DMZ interface, and outbound traffic that is leaving DMZ area via DMZ interface).When discussing inbound/outbound traffic flows in relation to the pix, you need to retrain your mind to think about the traffic in relation to the interfaces,
Isn't this similar to my configuration ? I do not feel that i understood this properly ?Eg: If you have an inbound acl on the outside interface allowing port 80 to the dmz, and an inbound acl on the dmz interface allowing port 80, you should have no problems.
Don't you think the format of my ACLs are wrong ? because here for PIX, both ip addresses are the same since we are translating (i.e. static (dmz, outside) 80.80.10.2 192.168.101.202,,,,,, )Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200