Skip to main content

bi-directional ACL same ports for outbound & inbound

More
17 years 10 months ago #19391 by pothead
zilah, I don't think you will need to configure this:

access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202
host 80.80.10.2 eq 8200


Since the pix is a stateful firewall, it will keep track of the traffic and allow traffic generated from the server to exit the firewall.

I think all you need is:

static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0

access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200

access-group FROM_OUTSIDE_TO_DMZ in interface outside

I think this should be enough to let traffic inbound (from outside/internet world to your dmz) with destination ports 80, 443, and 8200, AND it will let traffic outbound (from your dmz to the internet/world) with source ports as 80, 443, 8200.

Hope this helps.
More
17 years 10 months ago #19396 by Smurf
Pothead,

You may be correct there however i have never tested access-lists set on interface for in and out. You would imagine that the stateful function of the pix would handle this, unless you wanted to restrict the traffic flow into a zone from another zone (i.e. you applied an access list on the interface for out)

May be worth doing some testing on this to see.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 10 months ago #19438 by zillah

Since the pix is a stateful firewall, it will keep track of the traffic and allow traffic generated from the server to exit the firewall.

Yes, this is the key solution for my question.

The server that I have got within DMZ area is called Remote Desktop Appliance

On more thought raised on top of my head, now according to the ACEs (exclude FROM_DMZ_TO_OUTSIDE ) that I have got, the outside can talk to dmz-remote desktop appliance , but the dmz-remote desktop appliance will not be able to *INITATE* a connection. Yes dmz-remote desktop will able to talk to a connection that is initiated to it.

How can I assure from where will the traffic be intiated ? Does that rely on the documentation of each individual device ?
More
17 years 9 months ago #19488 by pothead
Zillah,

Your severs will be able to initiate a connection because they are in the DMZ. By default the pix allows traffic from a higher security interface to a lower one. So for example, think on your inside interface as high, you dmz interface as medium, and the outside interface (which connects to the internet) as low. By default, traffic initiated from the foll. is allowed:

Traffic from Inside to Outside
Traffic from Inside to DMZ

Traffic from DMZ to Outside.

Does that answer you question?

Smurf, I have never tested the out function in the firewall, but I am pretty confident for the in function. But you're definitely right, it's worth testing...never even thought about it till you mentioned it. :-)
More
17 years 9 months ago #19489 by pothead

How can I assure from where will the traffic be intiated ? Does that rely on the documentation of each individual device ?


This depend on your application that is running on the server...like if its web, the traffic will almost always be initiated from outside. Likewise for telnet, ftp, etc. etc.

Correct me if I'm wrong (and I very well might be) but security wise, you DON'T want most of your servers initiating any traffic...for the most part.
More
17 years 9 months ago #19490 by zillah

By default the pix allows traffic from a higher security interface to a lower one. So for example, think on your inside interface as high, you dmz interface as medium, and the outside interface (which connects to the internet) as low. By default, traffic initiated from the foll.

But this is not my case since I have got other ACEs within the DMZ and inside, the default behavior won't work in my case.

This depend on your application that is running on the server...like if its web, the traffic will almost always be initiated from outside. Likewise for telnet, ftp, etc. etc.

Yes, you are right.

Correct me if I'm wrong (and I very well might be) but security wise, you DON'T want most of your servers initiating any traffic...for the most part.

Yes.
Time to create page: 0.133 seconds