• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 693
  • Last Modified:

After applying ACL, users can no longer get on the internet

Hello, I was hoping for some assistance.  I am new to creating ACLs. Here is my network.  

Inside PCs------------->PIX------------------->Router

I have applied the following ACL below to the serial 0/0 in interface.  I am able to use the client VPN (192.168.X.X) successfully with it applied but the users behind the PIX can't get on the internet nor can I ping out to the internet from the router.  My biggest goal is to protect my internal network from unauthorized activity.

X.X.123.114 is the outside interface of the PIX
X.X.45.218 is a web server
X.X.123.118 is the global address that users behind the PIX use to get out to the internet
I have added the entries with 'established' because I have seen solutions that show this allows hosts to get to the internet




access-list 101 permit ip host 192.168.10.1 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.2 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.3 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.4 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.5 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.6 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.7 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.8 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.9 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.10 10.0.0.0 0.0.0.255
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any host X.X.123.114 eq 22
access-list 101 permit udp any host X.X.123.114 eq non500-isakmp
access-list 101 permit udp any host X.X.123.114 eq isakmp
access-list 101 permit esp any host X.X.123.114
access-list 101 permit ahp any host X.X.123.114
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host X.X.123.122 eq 80
access-list 101 permit tcp any host X.X.45.218
access-list 101 permit tcp any X.X.123.118
access-list 101 deny ip any any

Thanks in advance!

Brad
0
bwalker1
Asked:
bwalker1
  • 15
  • 9
  • 2
  • +1
2 Solutions
 
Blackduke77Commented:
can you put the whole config up so we can see the natting and where the ACLs are applied, it does not look right to me for example

access-list 101 permit ip host 192.168.10.6 10.0.0.0 0.0.0.255 there are alot of these but you really on need one with the right subnetmask is the inside network 192.168.10.x class C

also you have this access-list 101 permit tcp any host X.X.123.114 eq 22 which i guess is some thing comming in bound but is using the same access list as out bound

i will get a copy of mine to show you
0
 
rafael_accCommented:
So where is the s0/0 interface. Inside or Outside ? Blackduke77's suggestion is a good one ...! Post some more info on this ...
Cheers.
0
 
Blackduke77Commented:
the outside interface is the interface connecting to the outside world the untrusted interface

please look at the confige below I have cut alot out but hope it helps would be easyier if I could see move of the config


PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet2 vlan1 physical
interface ethernet2 vlan2 logical
interface ethernet2 vlan3 logical
interface ethernet2 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif vlan2 edi security40
nameif vlan3 cvpn security60
nameif vlan4 dmz_vlan security55

hostname xxxPIX
domain-name wrt
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.xx.xx wffexch


"Out side access in ACL bound to outsideinterface controll in bound web access"
"DMZ vlan bound to DMZ vlan interface control out bound web access"

access-list outside_access_in permit esp any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq 10000
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq isakmp        
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq 4500
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq pptp
access-list outside_access_in permit gre any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.15 eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq https
access-list dmz_vlan_access_out permit tcp host wffexch any eq domain
access-list dmz_vlan_access_out permit udp host wffexch any eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging trap warnings
logging host inside 172.16.xx.xx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.30.xxx 255.255.255.0
ip address inside 172.16.xx.xx 255.255.254.0
ip address dmz_vlan 172.16.xx.xx 255.255.254.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz_vlan) 10 0.0.0.0 0.0.0.0 0 0

"static translation tells the pix where to send packets sent to a certain IP address the is controlled by ACL"
"however the first one tells the pix not to nat any trafic from the inside lan  (network address is fictional in this example)
"second line says anything coming to this outside ip address (fist ip in the line) send to wffecxh01 which is set above under names you could have a IP
there, then the ACL above restricts this"

static (inside,dmz_vlan) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 0 0
static (dmz_vlan,outside) 195.219.30.15 wffexch netmask 255.255.255.255 0 0



"access groups tie ACL to interfaces "


access-group outside_access_in in interface outside

access-group dmz_vlan_access_out in interface dmz_vlan

"set the routes "


route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
Blackduke77Commented:
notice I am not restricting from the inside out but I am restricting from DMZ_Vlan out
0
 
bwalker1Author Commented:
Here is my router



Current configuration : 3267 bytes
!
! Last configuration change at 16:38:37 mt Tue Nov 23 2004 by X
! NVRAM config last updated at 16:38:41 mt Tue Nov 23 2004 by X
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname X
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging console critical
enable secret 5 X
!
username X secret 5 X
clock timezone mt -7
clock summer-time mt recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip bootp server
ip name-server 4.2.2.2
ip multicast-routing
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
 ip address X.X.123.113 255.255.255.240
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
  ip address X.X.45.218 255.255.255.252
 ip verify unicast reverse-path
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip nat outside
 fair-queue
!
interface FastEthernet0/1
no ip redirects
shutdown
!
router ospf 1
 log-adjacency-changes
 network 10.20.66.64 0.0.0.63 area 0
 network X.X.45.216 0.0.0.3 area 0
 network X.X.123.112 0.0.0.7 area 0
!
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.45.217
no ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny   any
access-list 101 permit ip host 192.168.10.1 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.2 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.3 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.4 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.5 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.6 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.7 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.8 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.9 10.0.0.0 0.0.0.255
access-list 101 permit ip host 192.168.10.10 10.0.0.0 0.0.0.255
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any host X.X.123.114 eq 22
access-list 101 permit udp any host X.X.123.114 eq non500-isakmp
access-list 101 permit udp any host X.X.123.114 eq isakmp
access-list 101 permit esp any host X.X.123.114
access-list 101 permit ahp any host X.X.123.114
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host X.X.123.122 eq 80
access-list 101 permit tcp any host X.X.45.218
access-list 101 permit tcp any X.X.123.118
access-list 101 deny ip any any
!
line con 0
 login local
 modem autoconfigure type usr_sportster
line aux 0
 exec-timeout 0 0
 login local
 modem Dialin
 modem autoconfigure discovery
 transport preferred telnet
 transport input all
 speed 115200
 flowcontrol hardware
line vty 0 4
 login local
!
ntp clock-period 17180074
ntp server X.X.62.30
!
end

_______________________________________________

And here is my PIX


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CTaFxBnExh2IFXcR encrypted
passwd CTaFxBnExh2IFXcR encrypted
hostname X
domain-name X
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 10.20.66.64 255.255.255.192 X.X.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 10.20.66.64 255.255.255.192 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.20.66.64 255.255.255.192 10.20.66.160 255.255.255.224
access-list outside_cryptomap_20 permit ip 10.20.66.64 255.255.255.192 150.2.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list 130 permit icmp any any
access-list 130 permit ip any any
access-list 101 permit ip 10.20.66.0 255.255.255.192 192.168.10.0 255.255.255.0
access-list 140 permit icmp any any
access-list 140 permit ip any any
pager lines 24
logging history debugging
mtu outside 1500
mtu inside 1500
ip address outside X.X.123.114 255.255.255.248
ip address inside 10.20.66.66 255.255.255.192
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool X 192.168.10.1-192.168.10.10
pdm location 10.20.66.0 255.255.255.0 inside
pdm location X.X.0.0 255.255.0.0 outside
pdm location 192.168.10.0 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.248 outside
pdm location 0.0.0.0 255.255.255.248 inside
pdm location 10.20.66.160 255.255.255.224 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 X.X.123.118
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group 140 in interface outside
access-group 130 in interface inside
router ospf 1
  network 10.20.66.64 255.255.255.192 area 0
  network X.X.45.216 255.255.255.252 area 0
  network X.X.123.112 255.255.255.248 area 0
  log-adj-changes
route outside 0.0.0.0 0.0.0.0 X.X.123.113 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server X.X.62.30 source inside
http server enable
http 10.20.66.64 255.255.255.192 inside
snmp-server location X
no snmp-server contact
snmp-server community 3plu596
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer X.X.30.230
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address X.X.30.230 netmask 255.255.255.255 no-xauth no-config-mode
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool RHCVPNPOOL1
vpngroup VPN dns-server 4.2.2.2
vpngroup VPN default-domain cisco.com
vpngroup VPN split-tunnel 101
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
dhcpd address 10.20.66.101-10.20.66.120 inside
dhcpd dns 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
: end

0
 
Blackduke77Commented:
ahh this is a Cisco IOS router opps thourght it was a pix lol, ok will have another look
0
 
Blackduke77Commented:
ok let me look
0
 
bwalker1Author Commented:
Sorry about the confusion.  I am just applying the ACLs to the router.  I am using the PIX for VPN access. Everything works great, I just need to lock down the network.  But like I said, when I apply my ACL 101 to the inbound S0/0, I lose internet access.
0
 
Blackduke77Commented:
how does the router fit into the equation, are we talking about users from the pix local lan not being able to access the internet and the routers a default gatewat to another site, the config looks ok to me only one slight differenve on the global nat i have interface and you have a ip but did this all work until you added a ACL?
0
 
Blackduke77Commented:
ah ok sry misundderstood, so you trying to lock down access in or out of Serial 0/0 the access list 101 is definalty wrong as it is trying to control both in bound and out bound
0
 
Blackduke77Commented:
where does s0/0connect to ? internet or another site
0
 
Blackduke77Commented:
is Fast ethernet 0/0 on you local subnet  as the IP network seems different I need to under stand how these are working together
0
 
bwalker1Author Commented:
I am not trying to control outbound traffic, just inbound at s0/0.  What permit statements do I need to add to allow internet access while still locking down it down for security purposes? Remember I am new to creating ACLs.

0
 
Blackduke77Commented:
would love to help but just need to see how they fit to gether as Fastethernet 0/0 if on your network you would think it would have a staic with no nat and you inside interface on your pix is 10.20.66.66  but you local IP pool is 192.168.x.x

fell free to MSN me if you want blackduke77@hotmail.com
0
 
Blackduke77Commented:
if you want to stop all incoming on the serial and I mean all, remove the natting elements, nothing gets in then
0
 
Blackduke77Commented:
but nothing gets out either
0
 
bwalker1Author Commented:
S0/0 is a T-1 connection.

Local PC----->inside interface of PIX-------->outside interface of PIX------->E0/0 2621 Router------>S0/0 2621 Router----->T-1
Private IP         Private IP                                         Public IP                        Public IP                                 Public IP

E0/0 and the outside interface of the PIX are in the same Public IP subnet.  S0/0 on the router is a public IP in a different subnet handed out by the ISP.The inside interface of the PIX hands out IPs on its own private network.
0
 
Blackduke77Commented:
remove all ACLs for 101 and just have deny any any

creat a new ACL 102 or some thing to allow IP any any or lock it down abit (I would)

tie ACL 102 to S 0/0 out instead of in
0
 
bwalker1Author Commented:
The local IP pool is just for the VPN client that I have setup on the PIX.  I don't use the 192 subnet for anything else.
0
 
Blackduke77Commented:
right got all that makes sence now !!!!!!
0
 
Blackduke77Commented:
the router only has one route hows does in know about the 192.168 ???? food for thourght

if you look at your 101 ACL it is bound to S0/0 using the statement   ip access-group 101 in

the in means that it is inspecting inbound backets so remove all ACLs that are applied in 101 that are trying to control outbound
0
 
bwalker1Author Commented:
That makes sense about the 192.  I will take that out.

I am confused about which statements to put inbound and which ones outbound.  I need to permit IPSEC for the client VPN, Internet access for the whole network, Telnet access to the router, and SSH to the PIX.  I thought that I would apply these inbound for security reasons but if they need to go outbound then how would my ACLs look?  I just want to lock down this router so I can sleep at night :)
0
 
lrmooreCommented:
 >My biggest goal is to protect my internal network from unauthorized activity.
Isn't that why you have the PIX?

  >with it applied but the users behind the PIX can't get on the internet nor can I ping out to the internet from the router.
Because you have this line in your acl:
  >access-list 101 deny icmp any any

  >ip nat inside source list 1 interface Serial0/0 overload
  >access-list 1 permit 10.0.0.0 0.0.0.255
Why are you natting again on the router when you're already natting on the PIX?

Here's a suggested acl if you want to apply inbound at the router (I don's see UDP for DNS allowed in your 101):
  no access-list 101
  access-list 102 permit tcp any any established
  access-list 102 permit udp any eq domain any
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 permit udp any host X.X.123.118 eq isakmp
  access-list 102 permit esp any host X.X.123.118
  access-list 102 permit tcp any host X.X.123.118 eq 10000
  access-list 102 permit udp any host X.X.123.118 eq 4500
  access-list 102 deny ip any any log
 
 interface Serial 0/0
   no ip access-group 101 in
   ip access-group 102 in

The "log" keyword on the final deny any line of the acl will help in troubleshooting.

0
 
bwalker1Author Commented:
Thank you.  Let me try that right now.


 >ip nat inside source list 1 interface Serial0/0 overload
  >access-list 1 permit 10.0.0.0 0.0.0.255
     >Why are you natting again on the router when you're already natting on the PIX?

You caught me on the NAT statements on the router. I actually have a seperate network hooked up to e0/1 which requires natting because its a private network.  I wasn't focusing on the e0/1 network so I removed it from the config.

   >My biggest goal is to protect my internal network from unauthorized activity.
     >Isn't that why you have the PIX?

I am just using the PIX for VPN access and not for its firewall capabilities.  I plan on changing that later and actually using Websense for URL filtering.

0
 
bwalker1Author Commented:
That fixed it, thank you very much!   I really appreciate the help.  

lrmoore, in your opinion, does it look like from the configs that this is a secure enough network?  I am no expert in security but it looks okay to me.
0
 
bwalker1Author Commented:
Thank you Blackduke77 for your assistance via MSN Messenger.
0
 
lrmooreCommented:
Yes, in my opinion, having a screening access router and the pix together is part of a good 'defense in depth' strategy.
To take it further, be sure to add syslog capabilities to both the router and the pix. Monitor the syslogs for evidence of ip address blocks performing recon scans, and block those networks in your acl so you won't even be bothered by them knocking on your doors again..
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 15
  • 9
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now