?
Solved

Access-list question about filtering traffic

Posted on 2005-04-18
7
Medium Priority
?
636 Views
Last Modified: 2008-01-09
I am trying to prevent several computers from accessing the internet directly,namely their www traffic.  We have a filter proxy Symantec Web Security and have their IE locked down to pass thru the proxy. Unfortunately they have decided to load Mozilla.  They are smart enough to think about this, but still to ignorant and have downloaded keyboard loggers and other spyware to their machines.  I have created the following:

object-group network FilteredPC
  network-object host 192.168.1.101
  network-object host 192.168.1.22
  network-object host 192.168.1.24
  network-object host 192.168.1.25
access-list inside_access_out deny ip any object-group FilteredPC
access-list inside_access_out permit ip any any
access-group inside_access_out in interface inside

I believed there was an implied deny after any permit and once an access list is hit, the system did not go on to any other rules.
What happens is that if the permit statement is not there, it works fine and does not allow them though the firewall, however neither can anyone else.  So I put the permit in to allow the others, but then the systems in the filteredpc list also are permitted.  What am I missing?
Any help is appreciated.

Brian

This is urgent as these people keep bypassing the filter and are placing the whole network in a vunerable state.
0
Comment
Question by:brian_appliedcpu
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13805306
Access-lists are processed top-down untill first match.
There is an implied deny all at the end of every acl, not just after a permit.
Consider the effects of your acl.

this line alone blocks EVERYONE
 access-list inside_access_out deny ip any object-group FilteredPC
 
This access list will block the filtered PC's and let anyone else get out.
access-list inside_access_out deny ip any object-group FilteredPC
access-list inside_access_out permit ip any any

Just remember that any time you change an acl, you may need to recreate it from scratch to get things in the correct order, then always re-apply the acl to the interface. This is the way I would do it:

no access-list inside_access_out
clear xlate
access-list inside_access_out deny ip any object-group FilteredPC
access-list inside_access_out permit ip any any
access-group inside_access_out in interface inside

0
 
LVL 2

Author Comment

by:brian_appliedcpu
ID: 13805440
How is that different from what I have already?

I had cleared the xlates and it appears in the proper order in a show run.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13805510
It is no different except for possibly re-applying the acl to the interface.

Start with this:

access-list inside_access_out deny ip any object-group FilteredPC
access-group inside_access_out in interface inside

Nobody get's access.
Add this:
access-list inside_access_out permit ip any any

Your config looks right, but does not function fully until you re-apply it to the interface
Yes, this command is shown in the config, but you made changes to the acl after it was input, so input it AGAIN
  access-group inside_access_out in interface inside

It "should" work for you just this way..

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
LVL 2

Author Comment

by:brian_appliedcpu
ID: 13811838
It still doesn't work.
Sorry for the delay, I needed to wait till they left the office to test it.
Without the access-list inside_access_out permit ip any any it works fine, but then nobody can get to the web.
with it everyone can get to the web.
What I am not seeing?

bkl
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13818372
All I can tell you is that it should work

This is probably 3rd or 4th Q on this same thing this week
http://www.experts-exchange.com/Networking/Q_21360900.html#13758439

Can you post results of "show access-list" ?
0
 
LVL 2

Author Comment

by:brian_appliedcpu
ID: 13818578
Problem solved...actually before you posted your answer, but since it is a correct answer I will give you the points for doing the homework.
Thanks...

I mixed up the SIP and DIP
Should have been

access-list inside_access_out deny ip object-group FilteredPC any

not

access-list inside_access_out deny ip any object-group FilteredPC

Thanks anyway.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13818601
D'OH! My eyes are getting too old!

Thanks!
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month12 days, 16 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question