Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ACL question on pix

Posted on 2005-03-05
8
Medium Priority
?
257 Views
Last Modified: 2010-04-17
I entered this in my PIX to block FTP (I'm aware FTP uses two ports. Just doing testing)

pix(config)# access-list outbound_policy deny tcp any any eq 21
pix(config)# access-list outbound_policy permit ip any any
pix(config)# access-group outbound_policy in interface inside  <--applied inbound on internal interface of PIX

I then ran a sniffer and tried to do an ftp connection to a remote site.  It didnt work, but here are the logs:
http://www.streetneeds.com/uploads/ot/sn.jpg

It shows my private IP sending a connection request to the remote host. Shouldnt the PIX be blocking this???  I shouldnt be connecting at all since the dest IP in the packet is 21???
0
Comment
Question by:dissolved
  • 4
  • 3
8 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 13466449
Where was the sniffer? On the client side of the PIX, or the other side?

What the trace shows is an outbound segment attempting to establish the connection (SYN). But there's never an acknowledge (ACK) so the connection never gets established. This would be because the server never got the segment because the PIX blocked it.

Based on the trace, I'm going to guess that the sniffer is on the client side of the PIX. If it were on the other side, you wouldn't see the three SYN's.

-Don
0
 

Author Comment

by:dissolved
ID: 13466501
yep, sniffer is on client side of the pix.

It looks like the SYN is hitting the ftp server.  I have an ACL applied INBOUND on my internal PIX interface. Is this the proper way to apply an ACL (when you're trying to prevent internal users from doing certain things).?

I thought the SYN would never even hit the server due to my ACL. BUt it looks like the SYN is reaching the ftp server, as the FTP server probably tries a SYN/ACK and gets rejected

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 13466555
When you say "internal" PIX interface, do you mean the interface that connects to the client PC's?

Are you filtering the output on the sniffer? I'm wondering if there's some traffic we're not seeing.

If you're filtering coming from the clients inbound the the server shouldn't be receiving the FTP traffic.

-Don
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:dissolved
ID: 13466579
Yea, I have a pix501. One external one internal (as you probably know).  I am behind the pix.

Here is what I have entered

pix(config)# access-list outbound_policy deny tcp any any eq 21
pix(config)# access-list outbound_policy permit ip any any
pix(config)# access-group outbound_policy in interface inside  

This should prevent any traffic with the dest port of "21", to be blocked at the internal PIX's interface. Right?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 13466599
FYI .. On a PIX FW, you only option is to apply an acl "in" on any interface
0
 

Author Comment

by:dissolved
ID: 13466664
ok, so when you are trying to prevent your internal clients from doing certain things.....you do it by INBOUND acls on the INBOUND interface of the pix

on the other hand... if you do NOT have a pix and you only have a router....
You apply the acls INBOUND on the INTERNAL interface as well?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 1600 total points
ID: 13467437
Yes and yes.

0
 

Author Comment

by:dissolved
ID: 13469219
thanks guys. Still a little confused as to why the sniffer capture showed SYNs hitting the target host. THen the target host replying with RST. I thought the ACL would prevent the traffic from leaving at all?
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question