- Posts: 80
- Thank you received: 0
bi-directional ACL same ports for outbound & inbound
17 years 10 months ago #19289
by zillah
bi-directional ACL same ports for outbound & inbound was created by zillah
I have got server in DMZ area with an ip address 192.168.101.202, I want this server to be accessible from outside world through these ports: 809 8400, 80 (for outbound and inbound traffics)
This is my configuration
static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0
What I did , is this (for inbounding traffic) :
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200
Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200
access-group FROM_OUTSIDE_TO_DMZ in interface outside
If the outbound and inbound communicate on different posts then it is obvious we have to configure access-list in both directions, but does this apply to when outbound and inbound communicate on same posts
Note: fake public ip address
This is my configuration
static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0
What I did , is this (for inbounding traffic) :
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200
Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200
access-group FROM_OUTSIDE_TO_DMZ in interface outside
If the outbound and inbound communicate on different posts then it is obvious we have to configure access-list in both directions, but does this apply to when outbound and inbound communicate on same posts
Note: fake public ip address
17 years 10 months ago #19293
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: bi-directional ACL same ports for outbound & inbound
Hi there,
Yes i do beleive you will have to do. This is simply because the TCP Stream will be monitored so the appliance will know whats going on between the traffic flows. If the connection is initiated through an ACL inbound, then the corresponding outbound traffic will then be allowed back out. If the connection is however initiated through an ACL outbound, then an ACL will need to be in place to allow it.
Hope it makes sense
Cheers
Yes i do beleive you will have to do. This is simply because the TCP Stream will be monitored so the appliance will know whats going on between the traffic flows. If the connection is initiated through an ACL inbound, then the corresponding outbound traffic will then be allowed back out. If the connection is however initiated through an ACL outbound, then an ACL will need to be in place to allow it.
Hope it makes sense
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 10 months ago #19307
by zillah
First :I just want to clarify what I meant by the outbound and the inbound.
Outbound here I meant the traffic initiated from outside and is coming into DMZ's server through DMZ interface.
Inbound, I meant to say the replied traffic that initiated from the DMZ's server, which is going out through DMZ interface.
Second: Now if the initiated outside traffic (outbound) communicates with the DMZ's server through these ports: 80, 443, 8200, and the replied traffic (inbound ) from the DMZ's server communicates with the outside on the same ports (if it is on different ports, then yes we do need to have access lists in both direction).
Your answer was (as I understood, correct me if I am wrong) : Yes we do need to have an access-list in both directions, even we have got same communication ports for outbound and inbound traffic.
Replied by zillah on topic Re: bi-directional ACL same ports for outbound & inbound
Thanks for this insight.Yes i do believe you will have to do.
First :I just want to clarify what I meant by the outbound and the inbound.
Outbound here I meant the traffic initiated from outside and is coming into DMZ's server through DMZ interface.
Inbound, I meant to say the replied traffic that initiated from the DMZ's server, which is going out through DMZ interface.
Second: Now if the initiated outside traffic (outbound) communicates with the DMZ's server through these ports: 80, 443, 8200, and the replied traffic (inbound ) from the DMZ's server communicates with the outside on the same ports (if it is on different ports, then yes we do need to have access lists in both direction).
Your answer was (as I understood, correct me if I am wrong) : Yes we do need to have an access-list in both directions, even we have got same communication ports for outbound and inbound traffic.
17 years 10 months ago #19311
by d_jabsd
Replied by d_jabsd on topic Re: bi-directional ACL same ports for outbound & inbound
You do not need outbound acls as long as your inbound acls allow the traffic. One thing to note with the pix is that any traffic that is allow to enter an interface destined to exit out another interface will be allowed to exit and return as long as the inbound acls permit it.
Eg: If you have an inbound acl on the outside interface allowing port 80 to the dmz, and an inbound acl on the dmz interface allowing port 80, you should have no problems.
When discussing inbound/outbound traffic flows in relation to the pix, you need to retrain your mind to think about the traffic in relation to the interfaces, as everything flowing through the pix is inbound on one interface and outbound on another interface.
I highly recommend not using outbound acls. Not saying it can't be done, but it rarely produces the result you expect on the first try and it is much more efficient to permit/deny traffic as it enters the pix instead of as its leaving the pix.
Eg: If you have an inbound acl on the outside interface allowing port 80 to the dmz, and an inbound acl on the dmz interface allowing port 80, you should have no problems.
When discussing inbound/outbound traffic flows in relation to the pix, you need to retrain your mind to think about the traffic in relation to the interfaces, as everything flowing through the pix is inbound on one interface and outbound on another interface.
I highly recommend not using outbound acls. Not saying it can't be done, but it rarely produces the result you expect on the first try and it is much more efficient to permit/deny traffic as it enters the pix instead of as its leaving the pix.
17 years 10 months ago #19316
by Smurf
I agree, i only ever configure access-groups in, never out. Sorry i think i miss understood the initial question, i presumed as d_jabsd quite rightly said, that you were talking about the flow of traffic and not the access-groups in/out.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: bi-directional ACL same ports for outbound & inbound
I highly recommend not using outbound acls. Not saying it can't be done, but it rarely produces the result you expect on the first try and it is much more efficient to permit/deny traffic as it enters the pix instead of as its leaving the pix.
I agree, i only ever configure access-groups in, never out. Sorry i think i miss understood the initial question, i presumed as d_jabsd quite rightly said, that you were talking about the flow of traffic and not the access-groups in/out.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 10 months ago #19320
by zillah
Replied by zillah on topic Re: bi-directional ACL same ports for outbound & inbound
Yes, you are right , I have done mistake when I said outbound traffic (from outside to DMZ) , and inbound traffic (DMZ to outside), it should be be other way around (i.e inbound traffic that it is entering DMZ area through DMZ interface, and outbound traffic that is leaving DMZ area via DMZ interface).When discussing inbound/outbound traffic flows in relation to the pix, you need to retrain your mind to think about the traffic in relation to the interfaces,
Isn't this similar to my configuration ? I do not feel that i understood this properly ?Eg: If you have an inbound acl on the outside interface allowing port 80 to the dmz, and an inbound acl on the dmz interface allowing port 80, you should have no problems.
Don't you think the format of my ACLs are wrong ? because here for PIX, both ip addresses are the same since we are translating (i.e. static (dmz, outside) 80.80.10.2 192.168.101.202,,,,,, )Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200
Time to create page: 0.207 seconds