• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 764
  • Last Modified:

Only allow certain ip address to use Internet through CISCO PIX 515e firewall

http://www.experts-exchange.com/Security/Firewalls/Q_21198112.html?query=cisco+pix+no+dhcp&clearTAFilter=true

Firewall setup is mentioned above.

Right now all 20 machines in our office (windows and mac) access the Internet through our pix firewall via static ip address. The range is from 192.168.0.2 to 192.168.0.254

I want this to remain but the problem is we have tenants below who can easily access the internet through our firewall by using one of the ip addresses in the range above. I want to setup the network so that only authorized ip addresses can access the internet through the PIX.

How can this be done?
0
clinthammer
Asked:
clinthammer
  • 12
  • 8
  • 8
2 Solutions
 
minmeiCommented:
clinthammer,

Change the NAT translation from the whole network:

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

to the range of static IPs:

nat (inside) 1 192.168.0.0 255.255.255.224 0 0

(This would allow static translations for only 192.168.0.1 to 192.168.0.31)

You could also change your acl_in and allow only traffic from the authorized ip's outbound.

Good luck!
0
 
lrmooreCommented:
With an access-list restriction, you can specify each of your 'authorized' users and all others will be denied..

  access-list outbound permit ip host1
  access-list outbound permit ip host2
 access-group outside in interface inside


Good reference doc
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic3

0
 
clinthammerAuthor Commented:
Dear All,

Can you give me an example to restrict access to 192.168.0.9, 192.168.0.14, 192.168.0.31? I only want these 3 for now to have access to the internet.

Our most recent config:

write term
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MMGFIRE
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit ip any any
access-list acl_in permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside "public ip" 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
alias (inside) 192.168.0.49 "public ip" 255.255.255.255
static (inside,outside) tcp "public ip" ftp 192.168.0.49 ftp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.227.104.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b09ce0f58fdc93c4125c766a18eb56f0
: end
[OK]
MMGFIRE(config)#
 
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
minmeiCommented:
Since acl_in is the access-list you use to allow traffic outbound, it should look like this:

access-list acl_in permit tcp host 192.168.0.9 any eq www
access-list acl_in permit tcp host 192.168.0.9 any eq telnet
access-list acl_in permit tcp host 192.168.0.9 any eq pop3
access-list acl_in permit tcp host 192.168.0.9 any eq smtp
access-list acl_in permit tcp host 192.168.0.9 any eq ftp
access-list acl_in permit ip host 192.168.0.9 any
access-list acl_in permit icmp host 192.168.0.9 any
access-list acl_in permit tcp host 192.168.0.14 any eq www
access-list acl_in permit tcp host 192.168.0.14 any eq telnet
access-list acl_in permit tcp host 192.168.0.14 any eq pop3
access-list acl_in permit tcp host 192.168.0.14 any eq smtp
access-list acl_in permit tcp host 192.168.0.14 any eq ftp
access-list acl_in permit ip host 192.168.0.14 any
access-list acl_in permit icmp host 192.168.0.14 any
access-list acl_in permit tcp host 192.168.0.31 any eq www
access-list acl_in permit tcp host 192.168.0.31 any eq telnet
access-list acl_in permit tcp host 192.168.0.31 any eq pop3
access-list acl_in permit tcp host 192.168.0.31 any eq smtp
access-list acl_in permit tcp host 192.168.0.31 any eq ftp
access-list acl_in permit ip host 192.168.0.31 any
access-list acl_in permit icmp host 192.168.0.31 any
0
 
clinthammerAuthor Commented:
Thanks.

Am gonna try it now.

To deny an ip access, can i do this:

access-list acl_in deny tcp host 192.168.0.9 any eq www
0
 
minmeiCommented:
Absolutely. Once you get the hang of the ACL's you can pretty much do whatever you please.

Remember, tho, the order makes a difference. The ACL will trigger on the first match.

Make sure you don't deny traffic and then permit it afterwards, it will always be denied.

Also, there is a default deny any any at the end of each ACL, so if you don't let the traffic thru, it will be denied.
0
 
clinthammerAuthor Commented:
PRoblem:

I entered this in the PIX - access-list acl_in deny tcp host 192.168.0.9 any eq www

But for the ip address, i went to the computer with 192.168.0.9 and I still could access the Internet. Did I miss something?
0
 
lrmooreCommented:
Depends on the order in which you enter the access-list..
and whether or not you applied the acl to the interface
0
 
minmeiCommented:
lrmoore is right - if you put it at the end of the acl i provided before it will have no effect

first match is the key - the above acl from my post will allow the traffic before it gets to your acl line, so yours will be ignored.
0
 
lrmooreCommented:
Any luck on this one yet?
0
 
clinthammerAuthor Commented:
Sorry, I was away on a family emergency from April 15 until today.

Before I go on - let me clearly mention that I never setup the PIX initially. it was done by an engineer before Iwas hired into this firm. So whatever I am doing is without experience but doing my best to get it right - of course with help from EE members :)

I just went through it all and have a question, how do I enter an acl before enother one so that it takes precedence? Or should I just scrap the currelt acl_in access list and replace it with specific acl_in for ips?

For now I plan on testing with one internal ip. As you see the config is in my second post in this thread. I assume this should be the new config to only allow the one internal ip access:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MMGFIRE
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit icmp any any
access-list acl_in permit tcp host 192.168.0.9 any eq www
access-list acl_in permit tcp host 192.168.0.9 any eq telnet
access-list acl_in permit tcp host 192.168.0.9 any eq pop3
access-list acl_in permit tcp host 192.168.0.9 any eq smtp
access-list acl_in permit tcp host 192.168.0.9 any eq ftp
access-list acl_in permit ip host 192.168.0.9 any
access-list acl_in permit icmp host 192.168.0.9 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside "public ip" 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
alias (inside) 192.168.0.49 "public ip" 255.255.255.255
static (inside,outside) tcp "public ip" ftp 192.168.0.49 ftp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.227.104.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b09ce0f58fdc93c4125c766a18eb56f0
: end
[OK]
MMGFIRE(config)#
0
 
minmeiCommented:
The above will let in only for .9.

It will also stop all ftp to .49.

Even though the outside interface lets ftp come in to the .49 server, the inside interface doesn't let the return traffic out.

you may want to add a line to the acl_in as follows:

access-list acl_in permit tcp host 192.168.0.49 eq ftp any
0
 
clinthammerAuthor Commented:
Thanks that struck me too right after posting.  Is there anyways I can, without removing the original access list, enter the access list for just 192.168.0.9? I want the acl for 192.168.0.9 to take precedence rather than removing all the access lists.

Thanks again.
CD
0
 
minmeiCommented:
Keep the ACLs in a text file, remove one and paste the other, and vice versa.

One ACL to an interface. PIX rules, gotta follow 'em.
0
 
clinthammerAuthor Commented:
GOing to start working on this today very soon. But b4 I do, just wondering, is it not enough that I just enter the access list into the pix - what do you mean by specifically apply ACL to interface?

Because I think its done here in this part of config:

access-group acl_out in interface outside
access-group acl_in in interface inside
0
 
clinthammerAuthor Commented:
Just out of curiosity I removed theese lines:

access-list acl_out permit tcp any any eq www
access-list acl_in permit tcp host 192.168.0.9 any eq www

And then wrote to memory and reloaded the pix. To my surprise I could still surf the web - this is not supposed to happen since I removed www access.. :(
0
 
lrmooreCommented:
>what do you mean by specifically apply ACL to interface?
By entering these commands, you are applying the acl to the interface. Whenever you make changes to the acl, you need to re-apply it to the interface for the changes to take place.

Enter these same commands again, even though they are already there to re-apply the acl
  access-group acl_out in interface outside
  access-group acl_in in interface inside

>Just out of curiosity I removed theese lines:
>To my surprise I could still surf the web
  access-list acl_out permit tcp any any eq www
  access-list acl_in permit tcp host 192.168.0.9 any eq www

That would be the default behavior, and no surprise at all. With no acls applied to any interface, the default behavior is to allow all internal users out.  
What matters most in any acl is the order. Consider the following:
1)
  access-list out permit ip any any
  access-list out deny ip host 192.168.0.12 any
  access-group out in interface inside
2)
  access-list out permit ip host 192.168.0.12 any
  access-list out deny ip any any
  access-group out in interface inside

In 1) the host wil never be denied because of the permit any any above it
In 2) you get the desired restriction in that ONLY this host can get out, but the deny any any is not needed due to the implicit deny all at the end of every acl.

Best practice is to remove and re-enter the entire acl:
pix(config)#no access-group out in interface inside
pix(config)#no access-list out
pix(config)#access-list outbound permit ip host x.x.x.x any
pix(config)#access-list outbound permit ip host x.x.x.y any
pix(config)#access-group outbound in interface inside

If you only allow tcp as in your early attempts, then you lose the ability to do DNS lookups. There is no harm in allowing "ip" for your selected hosts unless you want to get overly restrictive.
0
 
clinthammerAuthor Commented:
Well today I did a test run.

Purpose: Only allow my computer ip 192.168.0.9 to access www,ftp, pop3, smtp.

I took out this from my firewall config:
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit ip any any
access-list acl_in permit icmp any any

And entered this:

access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit icmp any any
access-list acl_in permit tcp host 192.168.0.49 eq ftp any
access-list acl_in permit tcp host 192.168.0.9 any eq www
access-list acl_in permit tcp host 192.168.0.9 any eq telnet
access-list acl_in permit tcp host 192.168.0.9 any eq pop3
access-list acl_in permit tcp host 192.168.0.9 any eq smtp
access-list acl_in permit tcp host 192.168.0.9 any eq ftp

Result:

Everyone else could not access the net, pop3 etc. I could only access email. Neither www or ftp would work. I am stumped :(
0
 
clinthammerAuthor Commented:
Clarification - I am stumped because only I should be able to access email as well as www and ftp. But I dot know why ftp and www would not work for me :(
0
 
lrmooreCommented:
It didn't work for you because you did not allow UDP for DNS
add this:
  access-list acl_in permit udp host 192.168.0.9 any eq domain
re-apply the acl to the interface
  access-group acl_in in interface inside
0
 
minmeiCommented:
clinthammer,

Your acl_out is also a little strange.

The outside acl is used to allow traffic that originates from the outside. The PIX already opens holes in the fiewall for _return_ traffic.

This is whay lrmoore's command above "  access-list acl_in permit udp host 192.168.0.9 any eq domain " will work wihout a similar command in the acl_out list.

The acl_out list needs only to allow traffic to your servers that are allowing inbound connections, ones originating from the web, like your ftp server.

This entry " access-list acl_out permit tcp any host 192.168.0.49 eq ftp " is good - it allows inbound traffic to your ftp server.

This entry " access-list acl_out permit icmp any any " is good for troubleshooting - it allows pings coming in from the outside.

The others :

access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp

   allow all internal hosts to be ftp and web servers and traffic from the outside can get to them. Now in this case right now, this traffic would be denied to all hosts but .9, since you have the internal list active, but it does _not_ allow web and ftp traffic back to your host because the PIX already does that automatically for you.

Make any sense?
0
 
clinthammerAuthor Commented:
I always suspected those lines to be unnecessary but didnt want to risk removing them:
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp

So if I remove them then my current ftp server should still work right?

Can someone please try accessing the ftp now that I removed the above two lines:
ftp://ftp.mmg-me.com
username: ta
password: ta

Thanks,
CD
0
 
lrmooreCommented:
>So if I remove them then my current ftp server should still work right?

No, your servers will not work if you remove them. I tried and get "page not found" error.
You need to put them back for your servers to work.
0
 
clinthammerAuthor Commented:
Actually its my mistake. I have these two lines in my new config:

 static (inside,outside) tcp "public ip" ftp 192.168.0.49 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp "public ip" www 192.168.0.2 www netmask 255.255.255.255 0 0

1st is for our ftp site
2nd is for our data server so that I can maintain if from abroad.

Hence I need these for them to work:
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp

Will reply shortly. Am working on the firewall now.
0
 
lrmooreCommented:
You can make them more specific but it does not really matter. Keeping it "any any" will let you pop up another web site with just a new static xlate..

Example of more specific acl:

  access-list acl_out permit tcp any host "public ip" eq www
  access-list acl_out permit tcp any host "public ip" eq ftp
0
 
minmeiCommented:
Now wait just a minute! :)

lrmoore - if you loook in my above post, he already had a specific line in for his ftp server:

>This entry " access-list acl_out permit tcp any host 192.168.0.49 eq ftp " is good - it allows inbound traffic to your ftp server.

So I was just trying to let him know that the other two didn't have to be there to allow his outbound (to internet) traffic back in.

He already has the "more specific acl" in his list.

Now, with the new knowledge about the web server at 192.168.0.2, then you're correct about adding the www line back in.

As for the "public ip" part, that was my assumption that those _were_ public ip's changed to protect the innocent. I should not have assumed the change.

Lrmoore's last post is right on - the "public ip's are important. They allow traffic originating from the internet in to those servers.


0
 
lrmooreCommented:
OK, let's try to get this back on the right track...
<8-}

Since the acl_out is applied to the outside interface (I always get confused with interpretations of in/out)

access-group acl_out in interface outside

access-list acl_out permit tcp any any eq www <== any www service with static = OK
access-list acl_out permit tcp any any eq ftp  <== any ftp server with static = OK
access-list acl_out permit tcp any host 192.168.0.49 eq ftp <== not necessary, won't work, can go away
access-list acl_out permit icmp any any  <== OK

So, the wrong lines were pulled from the access-list that is controlling access from the outside to the inside hosts.
Needed:
  access-list acl_out permit tcp any any eq www
  access-list acl_out permit tcp any any eq ftp

Not needed, can be removed:
  access-list acl_out permit tcp any host 192.168.0.49 eq ftp

0
 
clinthammerAuthor Commented:
Thanks everyone esp lrmoore and minmei because your accepted answers combined helped me as a solution. I tested it today and it worked for my computers ip. I will do it for everyones now and ring back if i have any problems.

CD
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 12
  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now