- Posts: 19
- Thank you received: 0
bi-directional ACL same ports for outbound & inbound
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200
Since the pix is a stateful firewall, it will keep track of the traffic and allow traffic generated from the server to exit the firewall.
I think all you need is:
static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200
access-group FROM_OUTSIDE_TO_DMZ in interface outside
I think this should be enough to let traffic inbound (from outside/internet world to your dmz) with destination ports 80, 443, and 8200, AND it will let traffic outbound (from your dmz to the internet/world) with source ports as 80, 443, 8200.
Hope this helps.
You may be correct there however i have never tested access-lists set on interface for in and out. You would imagine that the stateful function of the pix would handle this, unless you wanted to restrict the traffic flow into a zone from another zone (i.e. you applied an access list on the interface for out)
May be worth doing some testing on this to see.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Yes, this is the key solution for my question.Since the pix is a stateful firewall, it will keep track of the traffic and allow traffic generated from the server to exit the firewall.
The server that I have got within DMZ area is called Remote Desktop Appliance
On more thought raised on top of my head, now according to the ACEs (exclude FROM_DMZ_TO_OUTSIDE ) that I have got, the outside can talk to dmz-remote desktop appliance , but the dmz-remote desktop appliance will not be able to *INITATE* a connection. Yes dmz-remote desktop will able to talk to a connection that is initiated to it.
How can I assure from where will the traffic be intiated ? Does that rely on the documentation of each individual device ?
Your severs will be able to initiate a connection because they are in the DMZ. By default the pix allows traffic from a higher security interface to a lower one. So for example, think on your inside interface as high, you dmz interface as medium, and the outside interface (which connects to the internet) as low. By default, traffic initiated from the foll. is allowed:
Traffic from Inside to Outside
Traffic from Inside to DMZ
Traffic from DMZ to Outside.
Does that answer you question?
Smurf, I have never tested the out function in the firewall, but I am pretty confident for the in function. But you're definitely right, it's worth testing...never even thought about it till you mentioned it.
How can I assure from where will the traffic be intiated ? Does that rely on the documentation of each individual device ?
This depend on your application that is running on the server...like if its web, the traffic will almost always be initiated from outside. Likewise for telnet, ftp, etc. etc.
Correct me if I'm wrong (and I very well might be) but security wise, you DON'T want most of your servers initiating any traffic...for the most part.
But this is not my case since I have got other ACEs within the DMZ and inside, the default behavior won't work in my case.By default the pix allows traffic from a higher security interface to a lower one. So for example, think on your inside interface as high, you dmz interface as medium, and the outside interface (which connects to the internet) as low. By default, traffic initiated from the foll.
Yes, you are right.This depend on your application that is running on the server...like if its web, the traffic will almost always be initiated from outside. Likewise for telnet, ftp, etc. etc.
Yes.Correct me if I'm wrong (and I very well might be) but security wise, you DON'T want most of your servers initiating any traffic...for the most part.