Re: Implicit rule PIX



> If you added it by hand, it would no longer be implicit, so No.
;-)

> The equivilent explicit rule is just "access-list NAME permit ip any any"
> applied to the higher security level interface.
>
>>also a rule like
>>permit DMZ tcp any any, would give dmz also acces to inside
>
> That would depend on where it was applied, and it isn't quite that simple.
>
>>So i have block acces from DMZ to inside first and then allow DMZ acces
>>outside
>
> Not quite. Given the above rule applied to the DMZ interface, access
> still would only be permitted to those inside hosts which are covered
> by an "nat (inside) 0 access-list" or "static (inside,dmz)".

In my project, the complete network is a public ip /24 network devided into
a lot of small segments connected to individual vlans.
The pix has to control who can talk to who,
So everything is nat0
A solution could be no to create a translation-map to every network so no
traffic can flow as you point out.
But then the nat-0 rules function as a sort of firewall functions, perhaps
not so clean to do that.
At the moment i've created nat-0 rules exactly as one would expect, in every
network direction no change of ipadress.

>>I'm thinking of creating a network-object wich contains al my internal
>>(public IP) networks,
>>deny all acces to these networks,
>>then allow acces to outside from these networks,
>>apply this to all my interfaces
>>And put all my exeptions before these lines.
>
> You probably don't want to apply that to your outside interface.
>
>>Dont know how an interface will react if a network-object contains also
>>his
>>own interface, and disable acces to it.
>
> It won't care, except perhaps in PIX 7 with same-interface routing to
> VPNs.
> With the exception noted, traffic from a subnet inside an interface
> to the -same- subnet, never goes through the PIX and the PIX will reject
> it if you try to force it to. Traffic from the subnet to the PIX itself
> (e.g., ping the PIX) is not controlled by ACLs: it is controlled by
> 'icmp' and 'http' and 'ssh' and 'telnet' commands.

understand that
Well it is PIX7.
>
>>Or is it possible to make acceslist like:
>> allow trafic from interface-x to interface-y (based only on interfaces,
>> not
>>on IP)
>
> No, you can't do that.

Any other, better ideas how to cleanly manage such a network?

> --
> I was very young in those days, but I was also rather dim.
> -- Christopher Priest


.



Relevant Pages

  • Re: Implicit rule PIX
    ... >>So i have block acces from DMZ to inside first and then allow DMZ acces ... Given the above rule applied to the DMZ interface, ... the complete network is a public ip /24 network devided into ... The pix has to control who can talk to who, ...
    (comp.dcom.sys.cisco)
  • Re: PIX behind route
    ... B,B need internet access thru A, now we want to put the PIX 506e ... interface FastEthernet0/0 ... network 192.168.0.0 0.0.255.255 area 0 ...
    (comp.security.firewalls)
  • Having 2 networks behind a PIX
    ... I have a PIX and 2 logical networks on the inside interface. ... The first network hangs directly off the inside interface, ... has a default gateway pointing to A1 and all the machines on B has default ...
    (comp.security.firewalls)
  • Re: [fw-wiz] PIX to PIX VPN from within a private network.
    ... I do not have NAT configured on any device at home, all IPs I use on the internal network are Internet routable, excluding of course the ... which hang off the inside interface of the PIX. ... outside interface of the PIX with the IP which the 827 currently uses on it's external interface. ...
    (Firewall-Wizards)
  • Re: Interesting problem with pix 515 UR
    ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)