?
Solved

ACL question on pix

Posted on 2005-03-05
8
Medium Priority
?
253 Views
Last Modified: 2010-04-17
I entered this in my PIX to block FTP (I'm aware FTP uses two ports. Just doing testing)

pix(config)# access-list outbound_policy deny tcp any any eq 21
pix(config)# access-list outbound_policy permit ip any any
pix(config)# access-group outbound_policy in interface inside  <--applied inbound on internal interface of PIX

I then ran a sniffer and tried to do an ftp connection to a remote site.  It didnt work, but here are the logs:
http://www.streetneeds.com/uploads/ot/sn.jpg

It shows my private IP sending a connection request to the remote host. Shouldnt the PIX be blocking this???  I shouldnt be connecting at all since the dest IP in the packet is 21???
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 13466449
Where was the sniffer? On the client side of the PIX, or the other side?

What the trace shows is an outbound segment attempting to establish the connection (SYN). But there's never an acknowledge (ACK) so the connection never gets established. This would be because the server never got the segment because the PIX blocked it.

Based on the trace, I'm going to guess that the sniffer is on the client side of the PIX. If it were on the other side, you wouldn't see the three SYN's.

-Don
0
 

Author Comment

by:dissolved
ID: 13466501
yep, sniffer is on client side of the pix.

It looks like the SYN is hitting the ftp server.  I have an ACL applied INBOUND on my internal PIX interface. Is this the proper way to apply an ACL (when you're trying to prevent internal users from doing certain things).?

I thought the SYN would never even hit the server due to my ACL. BUt it looks like the SYN is reaching the ftp server, as the FTP server probably tries a SYN/ACK and gets rejected

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 13466555
When you say "internal" PIX interface, do you mean the interface that connects to the client PC's?

Are you filtering the output on the sniffer? I'm wondering if there's some traffic we're not seeing.

If you're filtering coming from the clients inbound the the server shouldn't be receiving the FTP traffic.

-Don
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:dissolved
ID: 13466579
Yea, I have a pix501. One external one internal (as you probably know).  I am behind the pix.

Here is what I have entered

pix(config)# access-list outbound_policy deny tcp any any eq 21
pix(config)# access-list outbound_policy permit ip any any
pix(config)# access-group outbound_policy in interface inside  

This should prevent any traffic with the dest port of "21", to be blocked at the internal PIX's interface. Right?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 13466599
FYI .. On a PIX FW, you only option is to apply an acl "in" on any interface
0
 

Author Comment

by:dissolved
ID: 13466664
ok, so when you are trying to prevent your internal clients from doing certain things.....you do it by INBOUND acls on the INBOUND interface of the pix

on the other hand... if you do NOT have a pix and you only have a router....
You apply the acls INBOUND on the INTERNAL interface as well?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 1600 total points
ID: 13467437
Yes and yes.

0
 

Author Comment

by:dissolved
ID: 13469219
thanks guys. Still a little confused as to why the sniffer capture showed SYNs hitting the target host. THen the target host replying with RST. I thought the ACL would prevent the traffic from leaving at all?
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question