OK first of all, with NAT 0 or NAT 1+ using a global pool you would be able to access anything outside by default UNTIL you apply an outbound access-list. Deny all is implied automatically on inbound so all you need are permits in most situations. If you have any kind of access-list applied to the DMZ interface OUT then you will need to apply allow statements to anything you wish to go outbound (agreeing with the below statement of not contributing to being hacked & used to attack). Inbound only & using NAT 0 (to allow real IP space used in DMZ) or 1+ for a NAT pool should leave outbound completely unaffected.
Using conduits only set up a sort-of one way access-list for inbound connections & had no effect on outbound connections whatsoever. I would have to see the config to know the complete answer but I hope that sheds some light on the problem. Allen ----- Original Message ----- From: "Roberts, Larry" To: Sent: Friday, February 01, 2002 8:07 PM Subject: RE: Pix - Comparison - Conduit - Access-list [7:34155] > Well I think your doing it the only way that comes to mind, but I'm a little > confused why the DMZ is able to go anywhere outbound ? > That's not a typical thing ( or is it ???) > In our case, the DMZ can't do anything but the machine specific task ( DNS > can do udp 53 out, Mail can do SMTP out ) > By the same token, those machines can only go to the inside on certain > things as well. This is meant to prevent us from becoming an attacker if a > machine gets hacked ( gasp ) > > If you lock down your DMZ to only permit machine specific tasks, then you > can add away to the bottom because there is not an DENY ip any x.x.x.x, > where x.x.x.x is your inside network ,followed by the ip any any that I am > assuming your using and that is allowing access to the outside. > > If you don't want the DMZ to have access to port 80 inside, you could always > block source port 80 on the inside from going to the DMZ. This would allow > you to use the tcp any any eq www without allowing access inside. > > > Did I miss something or is this what your looking for? > > Larry > > -----Original Message----- > From: Gaz [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 01, 2002 7:58 PM > To: [EMAIL PROTECTED] > Subject: Pix - Comparison - Conduit - Access-list [7:34155] > > > Hi all, > > > I've used conduits for a few years and recently converted my aged mind to > access-lists on the Pix. When using conduits on a 3 interface pix for > instance: > > Everything allowed from DMZ to outside by default. > Apply conduit from DMZ to inside. > Still all traffic would be allowed from DMZ to outside. > > With access-lists: > > Everything allowed out from DMZ to outside by default. Access-list applied > to dmz in - to allow traffic from DMZ to inside. Now all traffic from DMZ to > outside is stopped by this access-list > > > My usual workaround is to add 2 lines to the end of the DMZ access-list > denying IP from any to all internal networks, and then permit IP from dmz to > any. My only moan is the pain of removing and re-adding these two lines > every time you're adding one line during installation/troubleshooting. On > top of the fact that it seems to be a bodge. > > Is there a better way of going about this?? > > > > Thanks, > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34178&t=34155 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
