Cisco PIX – DMZ host to inside host

Most my experience is with a Cisco ASA so this remote PIX I have been saddled with is being a pain.

I have a host in the DMZ needing access to a host on the inside. As of right now all of inside can access DMZ and for reasons I'm not going to get into now I'm being told this process has to be initiated from the DMZ host.

The inside interface has no access-list and all hosts there have access to the internet. When applying the following the inside hosts lose internet access.

access-list acl-InsideOutbound extended permit tcp host 192.168.2.17 host 10.50.13.44 eq X access-group acl-InsideOutbound in interface inside 

Do I have to the inside address access to any on port the common ports one would use when going online? As I understand it the security-level settings on the interfaces should permit and this is how it functions on the ASAs I manage. So does the applying of the ACL coming in to the inside supersede the security-level? Is there a best practice for this?

Here is the PIX configuration for reference:

PIX Version 7.2(4) ! hostname PIX names dns-guard ! interface Ethernet0 description Public facing interface nameif outside security-level 0 ip address x.x.x.2 255.255.255.128 ! interface Ethernet1 description Interior private network nameif inside security-level 100 ip address 10.50.13.2 255.255.255.0 ! interface Ethernet2 description DMZ nameif DMZ security-level 10 ip address 192.168.2.1 255.255.255.0 ! banner motd WARNING: This is a private TransCore network device. Unauthorized network use banner motd or abuse are monitored and will be vigorously prosecuted. boot system flash:/pix724.bin ftp mode passive clock timezone MST -6 clock summer-time MDT recurring dns server-group DefaultDNS domain-name tcore.com object-group network PMs network-object host x.x.x.x network-object host x.x.x.x network-object host x.x.x.x network-object host x.x.x.x network-object host x.x.x.x network-object host x.x.x.x access-list 2DMZ extended permit tcp any host x.x.x.20 eq ftp access-list 2DMZ extended permit tcp any host x.x.x.20 eq ftp-data access-list 2DMZ extended permit tcp host x.x.x.x host x.x.x.14 eq www access-list 2DMZ extended permit tcp host x.x.x.x host x.x.x.19 eq 1433 access-list 2DMZ extended permit tcp host x.x.x.x host x.x.x.19 eq 1433 access-list 2DMZ extended permit tcp host x.x.x.x host x.x.x.14 eq www access-list 2DMZ extended permit tcp any host x.x.x.16 eq 8080 access-list 2DMZ extended permit icmp any any echo-reply access-list 2DMZ extended permit icmp any any echo access-list 2DMZ extended permit tcp any host x.x.x.16 eq 8081 access-list 2DMZ extended permit tcp any host x.x.x.16 eq https access-list 2DMZ extended permit tcp any host x.x.x.16 eq 8181 access-list 2DMZ extended permit tcp any host x.x.x.17 eq www access-list 2DMZ extended permit tcp any host x.x.x.18 eq 8080 access-list 2DMZ extended permit tcp any host x.x.x.18 eq www access-list 2DMZ extended permit tcp object-group PMs host x.x.x.19 eq 1433 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.1.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.2.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.3.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.4.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.5.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 192.168.225.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 172.29.9.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 172.29.10.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 172.29.16.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 172.29.2.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 172.29.16.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 172.29.9.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 172.29.10.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 172.29.2.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.1.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.2.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.3.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.4.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.5.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 192.168.225.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.50.6.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.64.87.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.50.6.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.64.87.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.9.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.9.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.50.2.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 10.8.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 10.8.0.0 255.255.0.0 access-list 101 extended permit ip 10.50.13.0 255.255.255.0 192.168.18.0 255.255.255.0 access-list 101 extended permit ip 10.50.15.0 255.255.255.0 192.168.18.0 255.255.255.0 access-list 101 extended permit ip 192.168.2.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list 101 extended permit ip 192.168.2.0 255.255.255.0 10.9.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.1.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.2.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.3.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.4.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.5.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 192.168.225.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.1.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.2.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.3.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.4.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.5.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 192.168.225.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 172.29.9.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 172.29.10.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 172.29.16.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 172.29.2.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 172.29.9.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 172.29.10.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 172.29.16.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 172.29.2.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.50.6.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.64.87.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.50.6.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.67.87.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.64.87.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.9.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.9.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.50.2.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 10.8.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 10.8.0.0 255.255.0.0 access-list nonat extended permit ip 10.50.13.0 255.255.255.0 192.168.18.0 255.255.255.0 access-list nonat extended permit ip 10.50.15.0 255.255.255.0 192.168.18.0 255.255.255.0 access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.9.0.0 255.255.0.0 access-list stopshare extended permit tcp host 10.50.13.41 host 192.168.2.14 eq netbios-ssn access-list stopshare extended permit tcp host 10.50.13.44 host 192.168.2.14 eq netbios-ssn access-list stopshare extended permit tcp host 10.50.13.44 host 192.168.2.14 eq 445 access-list stopshare extended permit tcp host 10.50.13.41 host 192.168.2.14 eq 445 access-list stopshare extended deny tcp any any eq 445 access-list stopshare extended deny tcp any any eq netbios-ssn access-list stopshare extended permit ip any any access-list stopshare extended permit tcp any any access-list stopshare extended permit icmp any any access-list nonat_test extended permit ip 10.50.13.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list DMZ_Access_in extended permit ip any any access-list DMZ_Access_in extended permit tcp host 10.50.13.17 host 192.168.2.17 eq sqlnet access-list DMZ_Access_in extended permit tcp host 10.50.13.17 host 192.168.2.17 eq 1435 access-list DMZ_Access_in extended permit tcp host 192.168.2.17 host 10.50.13.17 eq 1435 access-list DMZ_Access_in extended permit tcp host 192.168.2.17 host 10.50.13.17 eq sqlnet access-list DMZ_Access_in extended permit tcp host 10.50.13.30 host 192.168.2.20 eq sqlnet access-list DMZ_Access_in extended permit tcp host 10.50.13.30 host 192.168.2.20 eq 1435 access-list DMZ_Access_in extended permit tcp host 192.168.2.20 host 10.50.13.33 eq 8080 access-list DMZ_Access_in extended permit tcp host 10.50.13.29 host 192.168.2.20 eq 3389 access-list DMZ_nat extended permit ip 192.168.2.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list DMZ_nat extended permit ip 192.168.2.0 255.255.255.0 10.9.0.0 255.255.0.0 access-list ToInside extended permit tcp host 192.168.2.20 host 10.50.13.29 eq 3389 pager lines 24 logging enable logging monitor debugging mtu outside 1500 mtu inside 1500 mtu DMZ 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside icmp permit any DMZ no asdm history enable arp timeout 14400 global (outside) 1 interface global (DMZ) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 nat (DMZ) 0 access-list DMZ_nat nat (DMZ) 1 0.0.0.0 0.0.0.0 static (DMZ,outside) x.x.x.14 192.168.2.14 netmask 255.255.255.255 static (DMZ,outside) x.x.x.20 192.168.2.15 netmask 255.255.255.255 static (DMZ,outside) x.x.x.16 192.168.2.16 netmask 255.255.255.255 static (inside,DMZ) 10.50.13.30 10.50.13.30 netmask 255.255.255.255 static (DMZ,outside) x.x.x.17 192.168.2.17 netmask 255.255.255.255 static (inside,DMZ) 10.50.13.17 10.50.13.17 netmask 255.255.255.255 static (DMZ,inside) x.x.x.17 192.168.2.17 netmask 255.255.255.255 static (DMZ,outside) x.x.x.18 192.168.2.20 netmask 255.255.255.255 static (DMZ,inside) x.x.x.18 192.168.2.20 netmask 255.255.255.255 static (inside,DMZ) 10.50.13.33 10.50.13.33 netmask 255.255.255.255 static (inside,outside) x.x.x.19 10.50.13.44 netmask 255.255.255.255 static (inside,DMZ) 10.50.13.47 10.50.13.47 netmask 255.255.255.255 access-group 2DMZ in interface outside access-group DMZ_Access_in in interface DMZ route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 route inside 10.50.15.0 255.255.255.0 10.50.13.1 1 route inside 172.17.0.0 255.255.0.0 10.50.13.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa-server TACSERVER protocol tacacs+ aaa-server TACSERVER (inside) host 10.1.0.227 key GenuinE url-server (inside) vendor smartfilter host 10.50.13.25 port 4005 timeout 10 protocol TCP connections 5 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto map newmap 10 match address 101 crypto map newmap 10 set peer or206.14 crypto map newmap 10 set transform-set myset crypto map newmap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 20 telnet 192.168.5.0 255.255.255.0 inside telnet 192.168.6.0 255.255.255.0 inside telnet 10.5.0.0 255.255.0.0 inside telnet 10.1.0.0 255.255.0.0 inside telnet timeout 30 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 30 console timeout 0 management-access inside ntp server x.x.x.x ntp server x.x.x.x ntp server x.x.x.x ntp server x.x.x.x tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 10 retry 2 tunnel-group or206.14 type ipsec-l2l tunnel-group or206.14 ipsec-attributes pre-shared-key ******************************************* ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect sunrpc inspect tftp inspect xdmcp ! service-policy global_policy global prompt hostname context 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: