Advertisement

07.29.2005 at 07:56AM PDT, ID: 21509114
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

PIX to PIX VPN ACL

Asked by decoleur in Network Software Firewalls, Enterprise Firewalls, Cisco PIX Firewall

Tags: , ,

Hi there Experts-

I am trying to set up a PIX to PIX VPN that limits access accross the VPN while still allowing remote Cisco VPN clients to access the network behind the Pix that they accessed. This is part of a hub and spoke configuration, which i can get working by ip, but I am intersted in limiting it to ports for three specific servers at the hub to and from the spoke networks...

Right now I have set up

Network Diagram:-
 
 
   Hub Pix(10.1.1.229)---------Internet----------(10.1.1.230)Spoke Pix
                    |                                                                 |
172.16.1.34                                                          Internal Network
172.16.1.195                                                        (172.16.21.0/24)
172.16.1.199

Here is what I am interested in setting up...

in this case 172.16.1.0/24 is the hub and 172.16.21.0/24 is the spoke

hub to spoke:
172.16.1.195 -> 172.16.21.0/24 tcp port 22
172.16.1.199 -> 172.16.21.0/24 any port

spoke to hub:
172.16.21.0/24 -> 172.16.1.34 tcp port 25
172.16.21.0/24 -> 172.16.1.199 udp port 514

I have been instructed by Cisco TAC to install the ACLs on the outside interface like so:

Access List for Hub Pix
 
access-list 111 permit udp 172.16.21.0 255.255.255.0 host 172.16.1.199 eq 514
access-list 111 permit tcp 172.16.21.0 255.255.255.0 host 172.16.1.34 eq 25
access-list 111 permit tcp 172.16.21.0 255.255.255.0 host 172.16.1.195
 
Access List for Spoke Pix
 
access-list 222 permit tcp host 172.16.1.195 172.16.21.0 255.255.255.0 eq 22
access-list 222 permit tcp host 172.16.1.199 172.16.21.0 255.255.255.0
access-list 222 permit tcp host 172.16.1.34 172.16.21.0 255.255.255.0 eq 25

I would like some help understanding some of the hows and whys for this config:
- why I should put these ACLs on the outside interface and not the inside.
- what is the point of these ACLs:
access-list 111 permit tcp 172.16.21.0 255.255.255.0 host 172.16.1.195
I only want device 172.16.1.195 to be able to ssh to 172.16.21.0/24
and
access-list 222 permit tcp host 172.16.1.34 172.16.21.0 255.255.255.0 eq 25
I only want 172.16.21.0/24 to be able to send mail to 172.16.1.34

-Also when I impliment this config my syslog server reports errors from the hub pix that it is blocking the UDP 514 traffic from the spoke pix:
%PIX-2-106006: Deny inbound UDP from 172.16.21.1/514 to 172.16.1.199/514 on interface outside

Thoughts?

Thanks in advance,

-tStart Free Trial
[+][-]07.29.2005 at 09:35AM PDT, ID: 14556337

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.29.2005 at 09:55AM PDT, ID: 14556513

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.29.2005 at 10:17AM PDT, ID: 14556718

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.29.2005 at 12:04PM PDT, ID: 14557778

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]07.29.2005 at 12:49PM PDT, ID: 14558079

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.29.2005 at 12:55PM PDT, ID: 14558107

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Network Software Firewalls, Enterprise Firewalls, Cisco PIX Firewall
Tags: pix, vpn, acl
Sign Up Now!
Solution Provided By: modulo
Participating Experts: 2
Solution Grade: A
 
 
[+][-]07.29.2005 at 04:29PM PDT, ID: 14559431

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32