Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 239
  • Last Modified:

Cisco PIX Inbound Policy

I've tried searching on EE for this answer but because I'm not that much of a PIX expert -I only understand IOS syntax and basic firewall rules- I couldnt really solve my problem.  So, if the answer is blatently already available try not to flame me too much...

I've got a client with a PIX that has a bunch of web servers in the DMZ with existing policies to allow smtp and web traffic to those servers.  However, they have a box on the LAN they'd like to open full access to for a very short period of time and I cant seem to figure out how to write it into the config.  Based on all the configs that were already on the system, I tried to do the following:

static (inside, outside) 65.xx.aa.bb 192.168.ff.gg netmask

Then for the actual policy:

access-list outside_access_in permit tcp host [ip of origin client] host 65.xx.aa.bb eq telnet

We had the remote user try telnet and it didn't work; I also found out they needed access for a few hours to a million other ports so tried changing the policy to:

access-list outside_access_in permit tcp any (in case they weren't originating from the IP they thought they were) host 65.xx.aa.bb

And this still didn't work so here I am.  Anyone see what I'm doing wrong?

  • 4
  • 2
1 Solution
hi there

First of all
Is the access-list "outside_access_in" the same name as all the other servers on the DMZ are accessed under?
It needs to be as only 1 access-list name is referenced per interface - so if you already have an access list that is allowing access to servers in the DMZ from outside, you need to use the exact same access-list name.

Is the 65.xx.aa.bb definetly a free available address in your ip range?  It cannot be already used or be the ip address of your pix outside interface - (If you don't have a free address there are workarounds)

Access-lists work top>down until they find a match.  If there is a deny access-list that appears above your access-list - then your one will not be read.  At the pix type
sh access-list
And look at the line numbers of the access-lists.
You may need to remove yours and reinsert it with a line number so that it comes in before a deny statment:
access-list outside_access_in line 15 permit tcp host [ip of origin client] host 65.xx.aa.bb eq telnet

hope this helps

AM6_Networks_AdamLAuthor Commented:
First: the access lists are different for the DMZ, its something like outside_access_dmz; which I'm not dealing with since this unit in inside the LAN (..i know, security risks..).

Second: Yes, it is a free address, its not your typical soho deployment, the customer has a wide range of IPs.

Thrid: I'll try running that sh access-list and see if there is any sort of a deny policy.  I'll update asap.

Thanks a lot.
<<First: the access lists are different for the DMZ, its something like outside_access_dmz; which I'm not dealing with since this unit in inside the LAN>>

I know what you mean but the fact is that the traffic is still originating from the outside so if there is an access-list allowing www access to servers in your DMZ - it will be applied to your outside interface.  
Your access-list and static above are fine - but the problem is that they are not applied to anything.

Look for the line in the config:
access-group [access-list name] in interface outside

The access-list applied here is the one you need to name your access-list for allowing access inside.  Even if the access-list is named outside_access_dmz - that is only the name of it - it can be called whatever - if you get my drift

hope this helps
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

You need the two access list

1. Allow traffic from outside to Lan
2. Allow the same from LAN to outside to make it work


<<2. Allow the same from LAN to outside to make it work

You don't need an access-list to permit traffic from inside to out on a pix.  The PIX ASA algorithm dictates that all traffic from a more secure interface can flow to a less secure one by default.  The static below is giving 1-1 nat translation for the LAN server to outside.  

static (inside, outside) 65.xx.aa.bb 192.168.ff.gg netmask
AM6_Networks_AdamLAuthor Commented:
I'm still waiting for field techs to report with sh access-list and possibly a sh run just so we can all be on the same page here.  Sorry for the delays, this is definitely important to us and I'll post as quickly as possible.

Take your time!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now