AM6_Networks_AdamL
asked on
Cisco PIX Inbound Policy
I've tried searching on EE for this answer but because I'm not that much of a PIX expert -I only understand IOS syntax and basic firewall rules- I couldnt really solve my problem. So, if the answer is blatently already available try not to flame me too much...
I've got a client with a PIX that has a bunch of web servers in the DMZ with existing policies to allow smtp and web traffic to those servers. However, they have a box on the LAN they'd like to open full access to for a very short period of time and I cant seem to figure out how to write it into the config. Based on all the configs that were already on the system, I tried to do the following:
static (inside, outside) 65.xx.aa.bb 192.168.ff.gg netmask 255.255.255.255
Then for the actual policy:
access-list outside_access_in permit tcp host [ip of origin client] host 65.xx.aa.bb eq telnet
We had the remote user try telnet and it didn't work; I also found out they needed access for a few hours to a million other ports so tried changing the policy to:
access-list outside_access_in permit tcp any (in case they weren't originating from the IP they thought they were) host 65.xx.aa.bb
And this still didn't work so here I am. Anyone see what I'm doing wrong?
Thanks!
I've got a client with a PIX that has a bunch of web servers in the DMZ with existing policies to allow smtp and web traffic to those servers. However, they have a box on the LAN they'd like to open full access to for a very short period of time and I cant seem to figure out how to write it into the config. Based on all the configs that were already on the system, I tried to do the following:
static (inside, outside) 65.xx.aa.bb 192.168.ff.gg netmask 255.255.255.255
Then for the actual policy:
access-list outside_access_in permit tcp host [ip of origin client] host 65.xx.aa.bb eq telnet
We had the remote user try telnet and it didn't work; I also found out they needed access for a few hours to a million other ports so tried changing the policy to:
access-list outside_access_in permit tcp any (in case they weren't originating from the IP they thought they were) host 65.xx.aa.bb
And this still didn't work so here I am. Anyone see what I'm doing wrong?
Thanks!
ASKER
First: the access lists are different for the DMZ, its something like outside_access_dmz; which I'm not dealing with since this unit in inside the LAN (..i know, security risks..).
Second: Yes, it is a free address, its not your typical soho deployment, the customer has a wide range of IPs.
Thrid: I'll try running that sh access-list and see if there is any sort of a deny policy. I'll update asap.
Thanks a lot.
Second: Yes, it is a free address, its not your typical soho deployment, the customer has a wide range of IPs.
Thrid: I'll try running that sh access-list and see if there is any sort of a deny policy. I'll update asap.
Thanks a lot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need the two access list
1. Allow traffic from outside to Lan
2. Allow the same from LAN to outside to make it work
1. Allow traffic from outside to Lan
2. Allow the same from LAN to outside to make it work
FYI
<<2. Allow the same from LAN to outside to make it work
You don't need an access-list to permit traffic from inside to out on a pix. The PIX ASA algorithm dictates that all traffic from a more secure interface can flow to a less secure one by default. The static below is giving 1-1 nat translation for the LAN server to outside.
static (inside, outside) 65.xx.aa.bb 192.168.ff.gg netmask 255.255.255.255
<<2. Allow the same from LAN to outside to make it work
You don't need an access-list to permit traffic from inside to out on a pix. The PIX ASA algorithm dictates that all traffic from a more secure interface can flow to a less secure one by default. The static below is giving 1-1 nat translation for the LAN server to outside.
static (inside, outside) 65.xx.aa.bb 192.168.ff.gg netmask 255.255.255.255
ASKER
I'm still waiting for field techs to report with sh access-list and possibly a sh run just so we can all be on the same page here. Sorry for the delays, this is definitely important to us and I'll post as quickly as possible.
Thanks
Thanks
Take your time!
First of all
Is the access-list "outside_access_in" the same name as all the other servers on the DMZ are accessed under?
It needs to be as only 1 access-list name is referenced per interface - so if you already have an access list that is allowing access to servers in the DMZ from outside, you need to use the exact same access-list name.
Secondly
Is the 65.xx.aa.bb definetly a free available address in your ip range? It cannot be already used or be the ip address of your pix outside interface - (If you don't have a free address there are workarounds)
Thirdly
Access-lists work top>down until they find a match. If there is a deny access-list that appears above your access-list - then your one will not be read. At the pix type
sh access-list
And look at the line numbers of the access-lists.
You may need to remove yours and reinsert it with a line number so that it comes in before a deny statment:
e.g.
access-list outside_access_in line 15 permit tcp host [ip of origin client] host 65.xx.aa.bb eq telnet
hope this helps