Results 1 to 4 of 4

Thread: bi-directional ACL same ports for outbound & inbound

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    140

    bi-directional ACL same ports for outbound & inbound

    I have got server in DMZ area with an ip address 192.168.101.202, I want this server to be accessible from outside world through these ports: 809 8400, 80 (for outbound and inbound traffics)

    This is my configuration

    static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0

    What I did , is this (for inbounding traffic) :

    access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
    access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
    access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200

    Do I need to config below as well (for the outbounding traffic)?
    access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
    access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 443
    access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 8200


    access-group FROM_OUTSIDE_TO_DMZ in interface outside

    If the outbound and inbound communicate on different posts then it is obvious we have to configure access-list in both directions, but does this apply to when outbound and inbound communicate on same posts

    Note: fake public ip address
    Last edited by zillah; January 10th, 2007 at 04:08 PM.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am assuming you are asking about a PIX ACL since that is what it looks like. If that is the case and the numbering of your interfaces is such that the value of your inside > dmz > outside, then an outbound ACL is not necessary (it will allow it by default); however, if the outside interface is < dmz interface, you will need it. Of course, if you wanted to restrict what ports your dmz servers could communicate on, you'll need the ACL...but if you are only interested in the dmz being able to get to the outside (I don't recommend that) or are only concerned about reply traffic, the outbound ACL is not necessary...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    I am assuming you are asking about a PIX ACL since that is what it looks like.
    Yes, sorry I forgot to mention that , I am talking about PIX.

    If that is the case and the numbering of your interfaces is such that the value of your inside > dmz > outside,
    Yes, that is

    then an outbound ACL is not necessary
    Yes it is not necessary, but If I have got other ACEs within outside interface, Wouldn't it become necessary ?
    Last edited by zillah; January 14th, 2007 at 05:02 PM.

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
    access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 443
    access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 8200
    Aren't these fomat wrong ? because both ip addresses (192.168.101.202 and 80.80.80.70) are the same , since I am translating and it wouldn't work that way ???
    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •