Larry, You've not missed a thing. I felt like I was going a round about way of doing something when there may be an easier way. Agreed on the need to restrict access from DMZ to outside. I think I was aiming more to get back to the point that I was at with conduits, rather than trying to achieve the final config requirements.
Thanks very much, Gaz ""Roberts, Larry"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Well I think your doing it the only way that comes to mind, but I'm a little > confused why the DMZ is able to go anywhere outbound ? > That's not a typical thing ( or is it ???) > In our case, the DMZ can't do anything but the machine specific task ( DNS > can do udp 53 out, Mail can do SMTP out ) > By the same token, those machines can only go to the inside on certain > things as well. This is meant to prevent us from becoming an attacker if a > machine gets hacked ( gasp ) > > If you lock down your DMZ to only permit machine specific tasks, then you > can add away to the bottom because there is not an DENY ip any x.x.x.x, > where x.x.x.x is your inside network ,followed by the ip any any that I am > assuming your using and that is allowing access to the outside. > > If you don't want the DMZ to have access to port 80 inside, you could always > block source port 80 on the inside from going to the DMZ. This would allow > you to use the tcp any any eq www without allowing access inside. > > > Did I miss something or is this what your looking for? > > Larry > > -----Original Message----- > From: Gaz [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 01, 2002 7:58 PM > To: [EMAIL PROTECTED] > Subject: Pix - Comparison - Conduit - Access-list [7:34155] > > > Hi all, > > > I've used conduits for a few years and recently converted my aged mind to > access-lists on the Pix. When using conduits on a 3 interface pix for > instance: > > Everything allowed from DMZ to outside by default. > Apply conduit from DMZ to inside. > Still all traffic would be allowed from DMZ to outside. > > With access-lists: > > Everything allowed out from DMZ to outside by default. Access-list applied > to dmz in - to allow traffic from DMZ to inside. Now all traffic from DMZ to > outside is stopped by this access-list > > > My usual workaround is to add 2 lines to the end of the DMZ access-list > denying IP from any to all internal networks, and then permit IP from dmz to > any. My only moan is the pain of removing and re-adding these two lines > every time you're adding one line during installation/troubleshooting. On > top of the fact that it seems to be a bodge. > > Is there a better way of going about this?? > > > > Thanks, > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34185&t=34155 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]