Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

setup ACL from lower th higher on PIX

want to setup ACL from lower to higher security on PIX for entire network. The following syntax that I used does not work.

access-list from-vlan34-coming-vlan64 permit tcp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0 eq https
access-list from-vlan34-coming-vlan64 permit tcp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0 eq ssh
access-list from-vlan34-coming-vlan64 permit icmp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0

 access-group from-vlan34-coming-vlan64 in interface vlan34
0
cogit
Asked:
cogit
  • 5
  • 3
1 Solution
 
lrmooreCommented:
Do you have statics setup between vlans?
  static (vlan34,vlan64) 10.30.34.0 10.30.34.0 netmask 255.255.255.0
0
 
cogitAuthor Commented:
no ... Is that all required?
0
 
lrmooreCommented:
Yes. If you are going from lower to higher, you have to have an xlate. The syntax I posted really just bypasses NAT between those two interfaces, but it has to be there. Notice that it is the higher security IP subnet that is there..
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
cogitAuthor Commented:
My mistake is that  10.30.34.0 is the lower int and 10.30.64.0 is the higher
vlan 34 security30
vlan64 security70

so i should do the following

static (vlan64,vlan34) 10.30.64.0 10.30.64.0 netmask 255.255.255.0

access-list from-vlan34-coming-vlan64 permit tcp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0 eq https
access-list from-vlan34-coming-vlan64 permit tcp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0 eq ssh
access-list from-vlan34-coming-vlan64 permit icmp 10.30.64.0 255.255.255.0 10.30.34.0 255.255.255.0

 access-group from-vlan34-coming-vlan64 in interface vlan34
0
 
lrmooreCommented:
Where will the connections initiate from?
Vlan 34 or vlan 64?
Souce is low 34 to high 64?
If yes, then you need to reverse the acls...

access-list from-vlan34-coming-vlan64 permit tcp 10.30.34.0 255.255.255.0 10.30.64.0 255.255.255.0 eq https
                                                                                 ^^                                 ^^
0
 
cogitAuthor Commented:
I think i'm following you .  10.30.34.0/24 security level 30 , requires ssh http, and icmp to machines on the 10.30.64.0 network which is a higher security level.  Can you run that sample back again because when I apply it , the 10.30.34.0 network cannot even ping out to the internet and fails to ping 10.30.64.0 network
0
 
cogitAuthor Commented:
I got it working but I think I need to add a acl that allows acces to the internet.
0
 
cogitAuthor Commented:
access-list from_vlan34_coming_vlan64 permit ip any any

i think this worked
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now