[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 784
  • Last Modified:

Pix rule

How can I only allow SSH acess to a specific netblock of external IPs? Say, 192 is an external in this case ...

This is the basic config at the moment allowing all access ...
access-list 101 permit tcp any host 10.0.0.10 eq ssh

access-list 101 permit tcp 192.168.1.0 255.255.255.220 10.0.0.10 eq ssh??? would that allow 192.168.1.0 - 192.168.1.35

0
af500
Asked:
af500
1 Solution
 
PennGwynCommented:
Almost.  Access lists don't use a *subnet* mask, they use a *wildcard* mask, sometimes thought of as a complemented subnet mask.  The mask specifies the bits that are allowed to vary.

So "192.168.1.0 0.0.0.31" specifies 192.168.1.0-192.168.1.31, and "192.168.1.32 0.0.0.3" specifies 192.168.1.32-192.168.1.35.  So two rules will get you the range you've specified.

I'm fairly certain, though, that access lists also list the *source* first, and then the destination.  So the final rules look like:

access-list 101 permit tcp host 10.0.0.10 192.168.1.0 0.0.0.31 eq ssh
access-list 101 permit tcp host 10.0.0.10 192.168.1.32 0.0.0.3 eq ssh

0
 
lrmooreCommented:
Actually, the PIX does use a netmask and not a wildcard mask, so it's a little more difficult..
Sorry, PennGwyn...

access-list permit tcp host 10.0.0.10 192.168.1.0 255.255.255.224  eq ssh     (.1 - .30)
access-list permit tcp host 10.0.0.10 host 192.168.1.31 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.32 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.33 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.34 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.35 eq ssh

Or, you could create a host group, and assign the group to the acl:

object-group network SSH
        network-object 192.168.1.0 255.255.255.0
        network-object 192.168.1.31 255.255.255.255
        network-object 192.168.1.32 255.255.255.255
        network-object 192.168.1.33 255.255.255.255
        network-object 192.168.1.34 255.255.255.255
        network-object 192.168.1.35 255.255.255.255

access-list permit tcp host 10.0.0.10 object-group SSH eq ssh

This gives you the flexibility to selectively add/remove one or more IP addresses instead of using a whole range..




0
 
billwhartonCommented:
af500

If you are looking to allow SSH to remotely administer the PIX firewall, you can use:

ssh <network> <subnet mask> <interface>

Examples:
1) If you want inside network 192.168.1.0 to be able to SSH into the PIX, use
ssh 192.168.1.0 255.255.255.0 inside

2) If you want only IP address 192.168.1.22 to be able to SSH into the pix, use
ssh 192.168.1.22 255.255.255.255 inside
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now