-
January 10th, 2007, 03:24 PM
#1
Senior Member
bi-directional ACL same ports for outbound & inbound
I have got server in DMZ area with an ip address 192.168.101.202, I want this server to be accessible from outside world through these ports: 809 8400, 80 (for outbound and inbound traffics)
This is my configuration
static (dmz, outside) 80.80.10.2 192.168.101.202 netmask 255.255.255.255 0 0
What I did , is this (for inbounding traffic) :
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 80
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 443
access-list FROM_OUTSIDE_TO_DMZ permit tcp any host 80.80.10.2 eq 8200
Do I need to config below as well (for the outbounding traffic)?
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 8200
access-group FROM_OUTSIDE_TO_DMZ in interface outside
If the outbound and inbound communicate on different posts then it is obvious we have to configure access-list in both directions, but does this apply to when outbound and inbound communicate on same posts
Note: fake public ip address
Last edited by zillah; January 10th, 2007 at 04:08 PM.
-
January 10th, 2007, 04:49 PM
#2
I am assuming you are asking about a PIX ACL since that is what it looks like. If that is the case and the numbering of your interfaces is such that the value of your inside > dmz > outside, then an outbound ACL is not necessary (it will allow it by default); however, if the outside interface is < dmz interface, you will need it. Of course, if you wanted to restrict what ports your dmz servers could communicate on, you'll need the ACL...but if you are only interested in the dmz being able to get to the outside (I don't recommend that) or are only concerned about reply traffic, the outbound ACL is not necessary...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
January 10th, 2007, 07:44 PM
#3
Senior Member
I am assuming you are asking about a PIX ACL since that is what it looks like.
Yes, sorry I forgot to mention that , I am talking about PIX.
If that is the case and the numbering of your interfaces is such that the value of your inside > dmz > outside,
Yes, that is
then an outbound ACL is not necessary
Yes it is not necessary, but If I have got other ACEs within outside interface, Wouldn't it become necessary ?
Last edited by zillah; January 14th, 2007 at 05:02 PM.
-
January 14th, 2007, 05:07 PM
#4
Senior Member
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 80
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 443
access-list FROM_DMZ_TO_OUTSIDE permit tcp 192.168.101.202 host 80.80.10.2 eq 8200
Aren't these fomat wrong ? because both ip addresses (192.168.101.202 and 80.80.80.70) are the same , since I am translating and it wouldn't work that way ???
Thanks
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|