• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

inside to outside

Can someone tell me if this access list (from pix 515) controls access from inside to outside interface?

access-group 110 in interface outside
access-group 120 in interface dmz

 MA5# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list 110; 28 elements
access-list 110 line 1 permit icmp any any (hitcnt=1722653)
access-list 110 line 2 permit tcp any host 61.191.191.212 eq smtp (hitcnt=453)
access-list 110 line 3 permit tcp any host 61.191.191.212 eq www (hitcnt=218652)
access-list 110 line 4 permit tcp any host 61.191.191.212 eq pop3 (hitcnt=7)
access-list 110 line 5 permit tcp any host 61.191.191.214 eq ftp (hitcnt=365)
access-list 110 line 6 permit tcp any host 61.191.191.214 eq www (hitcnt=108422)
access-list 110 line 7 permit tcp any host 61.191.191.214 eq 3389 (hitcnt=86)
access-list 110 line 8 permit tcp any host 61.191.191.215 eq www (hitcnt=204180)
access-list 110 line 9 permit tcp any host 61.191.191.219 eq citrix-ica (hitcnt=21865)
access-list 110 line 10 permit tcp any host 61.191.191.219 eq 2604 (hitcnt=0)
access-list 110 line 11 permit tcp any host 61.191.191.226 eq ftp (hitcnt=1485)
access-list 110 line 12 permit tcp any host 61.191.191.226 eq www (hitcnt=57753)
access-list 110 line 13 permit tcp any host 61.191.191.213 eq ssh (hitcnt=333255)
access-list 110 line 14 permit tcp any host 61.191.191.213 eq www (hitcnt=47774)
access-list 110 line 15 permit tcp any host 61.191.191.217 eq ftp (hitcnt=1101)
access-list 110 line 26 permit tcp any host 61.191.191.217 eq www (hitcnt=1074)
access-list 110 line 17 permit tcp any host 61.191.191.217 eq 3389 (hitcnt=34)
access-list 110 line 18 permit udp any host 61.191.191.218 eq domain (hitcnt=570028)
access-list 110 line 19 permit tcp any host 61.191.191.218 eq domain (hitcnt=10)
access-list 110 line 20 permit tcp any host 61.191.191.220 eq www (hitcnt=2488)
access-list 110 line 21 permit tcp any host 61.191.191.220 eq https (hitcnt=300)
<--- More --->
               
 access-list 110 line 22 permit tcp any host 61.191.191.214 eq https (hitcnt=64762)
access-list 110 line 23 permit tcp any host 61.191.191.220 eq 8080 (hitcnt=701)
access-list 110 line 24 permit tcp any host 61.191.191.214 eq ssh (hitcnt=302)
access-list 110 line 25 permit tcp any host 61.191.191.214 eq 1433 (hitcnt=4879564)
access-list 110 line 26 permit tcp any host 61.191.191.215 eq domain (hitcnt=11)
access-list 110 line 27 permit tcp any host 61.191.191.215 eq smtp (hitcnt=431381)
access-list 110 line 28 permit tcp any host 61.191.191.215 eq pop3 (hitcnt=2451)
access-list 120; 4 elements
access-list 120 line 1 permit icmp any any (hitcnt=39426)
access-list 120 line 2 permit ip any any (hitcnt=908550)
access-list 120 line 3 permit tcp any any (hitcnt=0)
access-list 120 line 4 permit udp any any (hitcnt=0)
access-list 150; 6 elements
access-list 150 line 1 permit ip 10.1.1.0 255.255.255.0 172.61.229.0 255.255.255.0 (hitcnt=114931)
access-list 150 line 2 permit ip 10.1.1.0 255.255.255.0 205.223.113.0 255.255.255.0 (hitcnt=31318)
access-list 150 line 3 permit ip 10.1.1.0 255.255.255.0 205.223.115.0 255.255.255.0 (hitcnt=6405)
access-list 150 line 4 permit ip host 192.168.4.1 205.223.113.0 255.255.255.0 (hitcnt=358)
access-list 150 line 5 permit ip 10.1.1.0 255.255.255.0 172.61.248.0 255.255.255.0 (hitcnt=1146)
access-list 150 line 6 permit ip 10.1.1.0 255.255.255.0 172.61.249.0 255.255.255.0 (hitcnt=452)
access-list nonat; 12 elements
access-list nonat line 1 permit ip 10.1.1.0 255.255.255.0 172.61.229.0 255.255.255.0 (hitcnt=4097083)
access-list nonat line 2 permit ip 10.1.1.0 255.255.255.0 205.223.113.0 255.255.255.0 (hitcnt=2615)
access-list nonat line 3 permit ip 10.1.1.0 255.255.255.0 205.223.115.0 255.255.255.0 (hitcnt=587)
access-list nonat line 4 permit ip host 192.168.4.1 205.223.113.0 255.255.255.0 (hitcnt=0)
<--- More --->
               
 access-list nonat line 5 permit ip 10.1.1.0 255.255.255.0 172.61.249.0 255.255.255.0 (hitcnt=5388)
access-list nonat line 6 permit ip 10.1.1.0 255.255.255.0 172.61.248.0 255.255.255.0 (hitcnt=43750)
access-list nonat line 7 permit ip 172.26.0.0 255.255.0.0 192.168.254.0 255.255.255.0 (hitcnt=8)
access-list nonat line 8 permit ip 10.0.0.0 255.0.0.0 192.168.254.0 255.255.255.0 (hitcnt=848478)
access-list nonat line 9 permit ip 192.168.254.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0)
access-list nonat line 10 permit ip 192.168.254.0 255.255.255.0 172.26.0.0 255.255.0.0 (hitcnt=0)
access-list nonat line 11 permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0 (hitcnt=0)
access-list nonat line 12 permit ip 192.168.4.0 255.255.255.0 192.168.254.0 255.255.255.0 (hitcnt=476710)

 MA5#  
0
Donnie4572
Asked:
Donnie4572
  • 2
2 Solutions
 
campbelcCommented:
Nope, looks to be allowing only certain ports from the outside in.

You may think so because of the "access-group 110 in interface outside" command, but this is just assigning the 110 access-list to the outside interface.
0
 
lrmooreCommented:
>Can someone tell me if this access list (from pix 515) controls access from inside to outside interface?

>access-group 110 in interface outside
>access-group 120 in interface dmz
Given the access-group statements above, I can say unequivically that there is NO access control from inside to the outside.

Access-list 110 controls what can come in the outside interface for public access to your web and email servers
access-list 120 controls what the hosts in the DMZ can do. Since one line is "permit ip any any" it pretty much defeats the whole purpose of having an access-list to start with

Access-list 150 appears to support a VPN tunnel
access-list nonat also supports the VPN tunnel bypassing NAT through the tunnel

What is your real question? Are you having a problem that you need help solving?

0
 
Donnie4572Author Commented:
Thank you for your comments.  lrmoore you are right I should have asked my "real" question. I added a subnet to the Lan and I needed to allow that ip out to internet. I have worked with firewalls and routers but nothing like the pix. I called cisco and they gave me this solution:

nat (newsubnet) 1 0 0
clea xlate
clear arp
write mem

Once I did this traffic to the internet opened.

Can you tell me why nat had to be set on the new interface and traffic was blocked until nat was set? Also, shouldn't I have a choice if I want to use nat or not? Can I use nat on one interface and not on the other?

Could I have done this to allow internet traffic out:

no nat (newsubnet) 1 0 0
clea xlate
clear arp
write mem

Donnie
0
 
lrmooreCommented:
See my post in your other question. It might clear things up. I basically showed you how to do the same thing.
Yes, you can choose which traffic to nat, and which traffic not to nat.
There are two methods with PIX. One is the special nat "zero" which is used primarily for VPN's. We can see in your post above the "nonat" acl, and I'll bet it is applied thusly:
  nat (inside) 0 access-list nonat
                   ^ This is nat "zero"

You can also selectivley nat between interfaces. Set up a static network nat with same network on both sides and you bypass nat. For example if you want all traffic from inside private LAN to talk to dmz private LAN by native private IP without natting:
  static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now