Hi Aaron, thanks for the help. I do remember that now from a
PIX
class I took a year or so. I've just moved into this
position
recently and am trying to remember all the rules.
We do have our interfaces setup like you said, so it would
make sense.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
I'll give this a shot, thanks!
--- In PIX_Firewall@yahoogroups.com, "Aaron
Rohyans" <aaronr ...>
wrote:
>
> It depends what your security levels are for each
interface. A
device on a
> higher security interface can contact a lower security
interface
without the
> need for an ACL or static NAT. However, when a device
residing on
a lower
> security interface wants to contact a device on a
higher security
interface,
> you will need an ACL to permit this. For example:
>
> You will need an ACL that permits traffic from the DMZ
to the
inside LAN:
> access-list dmz_acl permit ip host 10.60.1.90 host
10.9.0.11 eq
11111
>
> But you should not need an ACL to permit traffic from
inside to
contact the
> DMZ. This assumes you have normal security set up on
your
interfaces:
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security80
>
> Hope this helps!
> Aaron
>
> ----- Original Message -----
> From: "Tony" <ttrevino...>
> To: <PIX_Firewall@yahoogroups.com>
> Sent: Wednesday, May 10, 2006 9:28 AM
> Subject: [PIX_Firewall] ACLs in a PIX 520, version
6.3(5)
>
>
> Good morning all, I'm adding some acl permit
statements into our dmz
> and was wondering, do I need to add 2 statements to
allow
> communication? In other words, I need to allow an
internal machine
to
> contact a machine in the dmz, so I'm going to add this
statement:
>
> access-list dmz_acl permit ip host 10.9.0.11 host
10.60.1.90 eq
11111.
>
> So this would allow acces from 10.9.0.11 to 10.60.1.90,
but do I
need
> to add this statement as well:
>
> access-list dmz_acl permit ip host 10.60.1.90 host
10.9.0.11 eq
11111?
>
> I was told with this older version of software that the
PIX needed
both
> statements to allow proper communication? 10.9.0.11 is
always going
to
> initiate the request from the machine in the dmz,
10.60.1.90.
> Thanks in advance for the help, T
>
>
>
>
>
>
>
>
>
>
> Yahoo! Groups Links
>
>
>
>
>
>
>
>
____________________________________________________________
__________
> This email has been scanned by the MessageLabs Email
Security
System.
> For more information please visit http://www.messagela
bs.com/email
>
____________________________________________________________
__________
>
------------------------ Yahoo! Groups Sponsor
--------------------~-->
Home is just a click away. Make Yahoo! your home page now.
http://us.click.yahoo.com/DHchtC/3FxNAA/yQLSAA/kgFolB/TM
------------------------------------------------------------
--------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://gr
oups.yahoo.com/group/PIX_Firewall/
<*> To unsubscribe from this group, send an email to:
PIX_Firewall-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.c
om/info/terms/
|