Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Pix rule

Posted on 2004-09-02
3
765 Views
Last Modified: 2013-11-16
How can I only allow SSH acess to a specific netblock of external IPs? Say, 192 is an external in this case ...

This is the basic config at the moment allowing all access ...
access-list 101 permit tcp any host 10.0.0.10 eq ssh

access-list 101 permit tcp 192.168.1.0 255.255.255.220 10.0.0.10 eq ssh??? would that allow 192.168.1.0 - 192.168.1.35

0
Comment
Question by:af500
3 Comments
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11968321
Almost.  Access lists don't use a *subnet* mask, they use a *wildcard* mask, sometimes thought of as a complemented subnet mask.  The mask specifies the bits that are allowed to vary.

So "192.168.1.0 0.0.0.31" specifies 192.168.1.0-192.168.1.31, and "192.168.1.32 0.0.0.3" specifies 192.168.1.32-192.168.1.35.  So two rules will get you the range you've specified.

I'm fairly certain, though, that access lists also list the *source* first, and then the destination.  So the final rules look like:

access-list 101 permit tcp host 10.0.0.10 192.168.1.0 0.0.0.31 eq ssh
access-list 101 permit tcp host 10.0.0.10 192.168.1.32 0.0.0.3 eq ssh

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 11968682
Actually, the PIX does use a netmask and not a wildcard mask, so it's a little more difficult..
Sorry, PennGwyn...

access-list permit tcp host 10.0.0.10 192.168.1.0 255.255.255.224  eq ssh     (.1 - .30)
access-list permit tcp host 10.0.0.10 host 192.168.1.31 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.32 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.33 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.34 eq ssh
access-list permit tcp host 10.0.0.10 host 192.168.1.35 eq ssh

Or, you could create a host group, and assign the group to the acl:

object-group network SSH
        network-object 192.168.1.0 255.255.255.0
        network-object 192.168.1.31 255.255.255.255
        network-object 192.168.1.32 255.255.255.255
        network-object 192.168.1.33 255.255.255.255
        network-object 192.168.1.34 255.255.255.255
        network-object 192.168.1.35 255.255.255.255

access-list permit tcp host 10.0.0.10 object-group SSH eq ssh

This gives you the flexibility to selectively add/remove one or more IP addresses instead of using a whole range..




0
 
LVL 11

Expert Comment

by:billwharton
ID: 11980439
af500

If you are looking to allow SSH to remotely administer the PIX firewall, you can use:

ssh <network> <subnet mask> <interface>

Examples:
1) If you want inside network 192.168.1.0 to be able to SSH into the PIX, use
ssh 192.168.1.0 255.255.255.0 inside

2) If you want only IP address 192.168.1.22 to be able to SSH into the pix, use
ssh 192.168.1.22 255.255.255.255 inside
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question