• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

MS ports needed between 2 sites PIX

Hi all,

I have been planning for a while now 2 block ports between 2 sites over a pix tunnel. My thinking behind it was to cut down on wasted traffic and just open ports between the sites that are needed. Up to now we have allowed all traffic between these two sites. After doing some investigating I have come up with these list of ports that are needed for for 2 MS sites to communicate properly. Microsoft also states the "RPC randomly allocated high TCP ports TCP 1024 - 65536" are needed.

1.My question is What is the point of a ACL if i need to leave all these ports open ---TCP 1024 - 65536
2.Is there anyway of forcing a fixed block of high ports that ms cliens must use. -----RPC randomly allocated
3.Just seems like a lot of work, and at the end of the day i have to leave all of the high ports open, kind of defeats the purpose of setting the ACL up in the first place
4.Maybe some1 can enlighten me as to why it makes sense to use acl and maybe cause problems blocking good traffic, or just leave sites open. I can only see the advantage that any viruses/spybots etc... will be blocked  under 1024. But if one knows that these ports must be opened between MS sites, then it makes sense for programmer of these crap programs to use higher ports ?

(between BNIT & Munich)
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 20    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 21    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 22    >>>>>> Maybe user Range not eq  -- range 20 - 25
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 23    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 25    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 42    >WINS (Windows Internet Naming Space)
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 42    >will delete if no hits are spotted on it(microsoft recomendation)
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 53    >DNS access-group inside in interface inside
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 53    >will delete if no hits are spotted on it(microsoft recomendation)
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 67    >DHCP
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 69    >TFTP
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 80    >WWW
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 88    >Kebros delete if no hits are spotted on it
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 88    >Kebros delete if no hits are spotted on it
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 123   >NTP
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 135 - 139 >many mickey mouse services  
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 135 - 139 >many mickey mouse services
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 143   >IMAP
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 389    >LDAP
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 389    >LDAP (MS states udp usage - will delete if no hits are spotted)
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 443    >HTTPS
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 445    >SMb, SYSVOL, DFS
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 500    >IPSEC, ISAKMP
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 2869   >UPNP host
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 1270   >MOM Agent
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 2535   >MADCAP (DHCP) - not sure if needed
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 3268 -3269 >Global catalog server
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 3389   > Terminal services, RDP
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 4500   > Active directory NAT-T
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 6001 - 6004 >Exchange ports
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 6129   > Dameware
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 5555   > Safeboot
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 5026   > Synexsys
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 1311   > Dell open management
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 1 -1024 > Deny all other traffic to lan munich.
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 1025-65536 > RPC randomly allocated high TCP ports

Cheers
Hugh

(running out of points so wont be any more questions for a while after this one. :-)
0
huwa
Asked:
huwa
  • 8
  • 6
1 Solution
 
jabiiiCommented:
First off that means through, 1024 through 65536, those are random high source ports, not needed destination ports.

Microsoft also states the "RPC randomly allocated high TCP ports TCP 1024 - 65536" are needed.
0
 
jabiiiCommented:
What ports are you needing between the sites?
Mail, DNS, web, remote desktop, Netbios, drive sharing, database access?
0
 
huwaAuthor Commented:
all the ports i have listed above in the bnit acsess-list
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
huwaAuthor Commented:
Accept this, if i can get away without using it

access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 1025-65536 > RPC randomly allocated high TCP ports --last line in acl list
0
 
jabiiiCommented:
You shouldn't need the source ports in your ACLs
Only Dest ports.
0
 
huwaAuthor Commented:
ok so if i apply the access list which i have made above and leave this line out of the access list, I wont have any problems ??

access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 1025-65536 > RPC randomly allocated high TCP ports

Dont forget we have also many users who will be travelling between sites whose profile, mailbox will be on the other site, these users will also have no problems ?
I just know from yahoo and msn video when I block all the higher ports conferencing does not work (video & camera)



0
 
huwaAuthor Commented:
Hi Jabii,

Do you mean i can close all ports between 1 - 1024 - and leave all ports opened above this. as in example below

access-list bnit deny tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 1 -1024
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 1025-65536

Sorry if I dont follow you straight away,
0
 
jabiiiCommented:
No sweet :)
That should be fine yes. If I am misspeaking I am sure one of the Cisco guys will slap me :)

But when a TCP connection is made, lets say from 1.1.1.1 to 2.2.2.2.  on lets say SSH.
1.1.1.1:30568 2.2.2.2:22
What this says is IP 1.1.1.1 using source port of 30568 connecting to IP 2.2.2.2 on port 22.
Your ACL's only need the IP's and the destination ports to make it's decisions. ie permit tcp host 1.1.1.1 host 2.2.2.2 eq 22 WIll allow 1.1 to ssh to 2.2.

Your concern about web meetings/video you need to figure out exactly what port they use, and leave them open.

But your example above, will deny any real traffic to dest ports of 1-1024, and allow any destiation port that uses a high random source port, which would be the reverse of what you want.

0
 
huwaAuthor Commented:
ok, now i understand what you mean, so then i can use the following acl and i should have what i need to secure the sites
below is the destination ports i need opened and all other ports i have denied at end of acl with
access-list bnit deny ip lan-bnit 255.255.255.0 lan-munich 255.255.255.0

access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 20    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 21    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 22    >>>>>> Maybe user Range not eq  -- range 20 - 25
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 23    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 25    >
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 42    >WINS (Windows Internet Naming Space)
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 42    >will delete if no hits are spotted on it(microsoft recomendation)
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 53    >DNS access-group inside in interface inside
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 53    >will delete if no hits are spotted on it(microsoft recomendation)
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 67    >DHCP
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 69    >TFTP
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 80    >WWW
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 88    >Kebros delete if no hits are spotted on it
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 88    >Kebros delete if no hits are spotted on it
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 123   >NTP
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 135 - 139 >many mickey mouse services  
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 135 - 139 >many mickey mouse services
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 143   >IMAP
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 389    >LDAP
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 389    >LDAP (MS states udp usage - will delete if no hits are spotted)
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 443    >HTTPS
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 445    >SMb, SYSVOL, DFS
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 500    >IPSEC, ISAKMP
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 2869   >UPNP host
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 1270   >MOM Agent
access-list bnit permit udp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 2535   >MADCAP (DHCP) - not sure if needed
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 3268 -3269 >Global catalog server
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 3389   > Terminal services, RDP
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 4500   > Active directory NAT-T
access-list bnit permit tcp lan-bnit 255.255.255.0 lan-munich 255.255.255.0 range 6001 - 6004 >Exchange ports
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 6129   > Dameware
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 5555   > Safeboot
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 5026   > Synexsys
access-list bnit permit TCP lan-bnit 255.255.255.0 lan-munich 255.255.255.0 eq 1311   > Dell open management
access-list bnit deny ip lan-bnit 255.255.255.0 lan-munich 255.255.255.0
0
 
jabiiiCommented:
You can do one better, with ACL's on a CISCo there are implicit denies. What that means is you can say permit bnit munich 2 (all your ports this is just an example.) and cisco will see you have permitted bnit to munich any, and will deny anything else other than port 22. so the last line doesn't do anything for you :)

but becareful not to lock yourself out of your router :)

Did you verify what ports your video/conferencing was going over?

And just so where clear, with the above, your allowing: FTP, telnet, smtp, WINS, DNS, DHCP, TFTP, www, kerbos, NTP, netbios (139), IMAP, LDAP, HTTPS, DFS, Isakmp, UNP, MOM, MADCAP, GAS, RDP, AD, Exchange, Dameware, Safeboot, Synexsys, dell.

Do you really need all of those? I'm impressd :) but one q why do you allow Isakmp, but not AH ? proto 50/51? Udp500 basically sets up your tunnels, proto 50/51 carries encrypted traffic.
0
 
huwaAuthor Commented:
Actually it is a PIX 515 (5 interfaces) sorry if i didnt mention that before, I have a three preshare tunnels to 2 other PIX 515e, so all  traffic to the other sites are going over the tunnels. i have acls in place for what traffic can go out to the internet, and acls for what traffic can come into the pix, the tunnels on the pixes look i have pasted below ( 3 pixes in 3 different sites in total & bnit site to come) lan_bnit is a site we will be setting up soon so I would like to have these acl i propose in place (up to now all traffic was allowed accross the sites no acls were in place), and if all works ok i wll apply it on all pixes. The only problem I see is that my access list are going to get very very big as i will have to apply these lists on all pixes 3 times since i will have 4 tunnels, or I make object-groups and apply it that way. We have had a consultant who up to now done our tunnels I am trying to do more and more the firewalls myself. learning by doing.


sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set verystrong esp-3des esp-sha-hmac
crypto ipsec transform-set sota esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 40 set transform-set strong
crypto map BavarianNordicVPN 20 ipsec-isakmp
crypto map BavarianNordicVPN 20 match address vpnberlin
crypto map BavarianNordicVPN 20 set peer xxx.xxx.xxx.xxx
crypto map BavarianNordicVPN 20 set transform-set verystrong
crypto map BavarianNordicVPN 20 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN 25 ipsec-isakmp
crypto map BavarianNordicVPN 25 match address vpnkvistgaard
crypto map BavarianNordicVPN 25 set peer xxx.xxx.xxx.xxx
crypto map BavarianNordicVPN 25 set transform-set sota
crypto map BavarianNordicVPN 25 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN interface outside
crypto map BavaianNordic 26 ipsec-isakmp
crypto map BavaianNordic 26 match address vpnhugh
crypto map BavaianNordic 26 set peer xxx.xxx.xxx.xxx
crypto map BavaianNordic 26 set transform-set strong
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 7200
telnet timeout 15

and the acccess lists look like this as you can see to the public access out is tightly shut incoming traffic is also  limited. Now my aim is to lock down traffic between sites. yes I think i need all these ports, wins dhcp dns dfs all need to replicate to all 3 sites  we have an exchange hence smtp imap,6001 - 6004 on all 3 sites, AD needs to replicate NTP server sends times to the 2 other sites  rest are more for administrators to log on to different systems as in dell open manager all admins from all 3 sites need to connect to the dell open manager software.  at the moment my access lists look like this

name 192.168.10.13 video-intern
name 192.168.10.0 lan-munich
name 192.168.2.0 lan-berlin
name 192.168.100.0 lan-kvistgaard
name 192.168.10.238 Marc
name 192.168.10.239 Hugh
name 192.168.10.240 eg-switch
name 192.168.10.241 firstog-switch
name 192.168.10.242 secondog-switch
name 192.168.10.243 libary-switch
name 192.168.10.244 thirdog-switch
name 192.168.10.245 backbone-switch
name 192.168.10.246 spare-switch
name 192.168.10.15 BN-APS01
name 192.168.10.19 BN-DC02
name 192.168.10.237 Circular
name 192.168.5.2 Munich-ACS
name 192.168.5.18 Kvistgaard-ACS
name 192.168.5.26 Kvistgaard-VPN
name 192.168.5.10 Munich-VPN
name 192.168.10.10 webmail-intern
name xxx.xxx.xxx.xxx vpn-extern
name xxx.xxx.xxx.xxx acs-extern
name xxx.xxx.xxx.xxx webmail-smtp
name xxx.xxx.xxx.xxx Video-Extern
name 192.168.10.201 lab-machine1
name 192.168.10.202 lab-machine2
name 192.168.10.203 lab-machine3
name 192.168.10.204 lab-machine4
name 192.168.10.205 lab-machine5
name 192.168.10.206 lab-machine6
name 192.168.10.207 lab-machine7
name 192.168.10.208 lab-machine8
name 192.168.10.209 lab-machine9
name 192.168.10.210 lab-machine10
name 192.168.1.0 lan-hugh
object-group network admins
  network-object host Marc
  network-object host Hugh
  network-object host Circular
object-group network internal-switches
  network-object host eg-switch
  network-object host firstog-switch
  network-object host secondog-switch
  network-object host libary-switch
  network-object host thirdog-switch
  network-object host spare-switch
  network-object host backbone-switch
object-group network acsserver
  network-object host Munich-ACS
  network-object host Kvistgaard-ACS
object-group network lab-Machines
  network-object host lab-machine1
  network-object host lab-machine2
  network-object host lab-machine3
  network-object host lab-machine4
  network-object host lab-machine5
  network-object host lab-machine6
  network-object host lab-machine7
  network-object host lab-machine8
  network-object host lab-machine9
  network-object host lab-machine10
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq www
access-list wireless permit udp 192.168.7.0 255.255.255.0 host xxx.xxx.xxx.xxx eq domain
access-list wireless permit udp 192.168.7.0 255.255.255.0 host xxx.xxx.xxx.xxx eq domain
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq isakmp
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq 10000
access-list wireless permit udp 192.168.7.0 255.255.255.0 host Munich-VPN eq 4500
access-list wireless deny ip any host xxx.xxx.xxx.xxx
access-list wireless deny ip any 192.168.0.0 255.255.0.0
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq https
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq pop3
access-list wireless permit tcp 192.168.7.0 255.255.255.0 any eq smtp
access-list wireless permit udp 192.168.7.0 255.255.255.0 any eq isakmp
access-list wireless permit udp 192.168.7.0 255.255.255.0 any eq 4500
access-list vpnberlin permit ip 192.168.6.0 255.255.255.128 lan-berlin 255.255.255.0
access-list vpnberlin permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 192.168.5.16 255.255.255.240
access-list nonat permit ip lan-munich 255.255.255.0 192.168.6.0 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit ip object-group lab-Machines lan-berlin 255.255.255.0
access-list inside permit ip object-group lab-Machines lan-kvistgaard 255.255.255.0
access-list inside deny ip object-group lab-Machines any
access-list inside permit tcp host video-intern any eq h323
access-list inside permit udp host video-intern any range 2702 2707
access-list inside permit tcp host BN-APS01 host xxx.xxx.xxx.xxx eq ssh
access-list inside permit icmp object-group admins any echo
access-list inside permit tcp host Circular host xxx.xxx.xxx.xxx eq telnet
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq telnet
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq telnet
access-list inside permit tcp object-group admins any eq ftp
access-list inside permit icmp object-group admins any
access-list inside permit tcp object-group admins host Kvistgaard-ACS eq netbios-ssn
access-list inside permit udp object-group admins any range 5555 5556
access-list inside permit tcp object-group admins any range 5555 5556
access-list inside permit tcp object-group admins any eq 6129
access-list inside permit tcp object-group admins host Munich-ACS eq netbios-ssn
access-list inside permit tcp object-group admins host Kvistgaard-ACS range 2002 2010
access-list inside permit tcp object-group admins any eq 3389
access-list inside permit tcp object-group admins host Kvistgaard-VPN eq ssh
access-list inside permit tcp object-group admins host Kvistgaard-VPN eq https
access-list inside permit tcp object-group admins host Munich-VPN eq https
access-list inside permit tcp object-group admins host Munich-VPN eq ssh
access-list inside permit tcp host Hugh any eq ssh
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq ssh
access-list inside permit tcp object-group admins host xxx.xxx.xxx.xxx eq ssh
access-list inside permit tcp object-group admins host Munich-ACS range 2002 2010
access-list inside permit tcp object-group internal-switches object-group acsserver eq tacacs
access-list inside permit tcp any any eq 8000
access-list inside permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list inside permit tcp any any eq https
access-list inside permit tcp any any eq 8082
access-list inside permit tcp any any eq www
access-list inside permit tcp any any eq 3128
access-list inside permit udp any any eq 4500
access-list inside permit udp any any eq isakmp
access-list inside permit udp any any eq domain
access-list inside permit tcp host 192.168.10.5 host Munich-ACS eq 445
access-list inside permit tcp host 192.168.10.5 host Munich-ACS range 136 netbios-ssn
access-list inside permit udp host 192.168.10.5 host Munich-ACS range 136 139
access-list inside deny ip any 192.168.5.0 255.255.255.224
access-list inside permit tcp host webmail-intern any eq smtp
access-list inside permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list inside permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit udp host BN-DC02 any eq ntp
access-list inside permit tcp host BN-APS01 any eq 3101
access-list inside permit tcp any host xxx.xxx.xxx.xxx eq 8383
access-list inside permit tcp any host 131.159.4.193 eq ssh
access-list inside permit tcp host BN-APS01 host xxx.xxx.xxx.xxx eq ssh
access-list inside permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
access-list inside deny ip any any
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 192.168.6.128 255.255.255.128
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 192.168.5.16 255.255.255.240
access-list acsnonat permit ip 192.168.5.0 255.255.255.248 lan-kvistgaard 255.255.255.0
access-list outside permit udp any host Video-Extern range 2702 2707
access-list outside permit tcp any host Video-Extern eq h323
access-list outside permit tcp any any eq 8000
access-list outside permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list outside permit udp any host vpn-extern eq isakmp
access-list outside permit udp any host vpn-extern eq 4500
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs
access-list outside permit tcp any host webmail-smtp eq https
access-list outside permit tcp any host webmail-smtp eq www
access-list outside permit tcp any host webmail-smtp eq smtp
access-list vpnkvistgaard permit ip 192.168.6.0 255.255.255.128 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip 192.168.6.0 255.255.255.128 lan-kvistgaard 255.255.255.0
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 192.168.5.16 255.255.255.240
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnkvistgaard permit ip lan-munich 255.255.255.0 192.168.6.128 255.255.255.128
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 192.168.6.128 255.255.255.128
access-list vpnkvistgaard permit ip 192.168.5.0 255.255.255.240 lan-kvistgaard 255.255.255.0
access-list wirelessnonat permit ip 192.168.7.0 255.255.255.0 host Munich-VPN
access-list dmz-acs permit udp any any eq domain
access-list dmz-acs permit udp host Munich-ACS host BN-DC02 eq domain
access-list dmz-acs permit udp host Munich-ACS host 192.168.100.14 eq domain
access-list dmz-acs permit ip host Munich-ACS host 192.168.10.5
access-list dmz-acs permit ip host Munich-ACS host Kvistgaard-ACS
access-list dmz-vpn permit udp host Munich-VPN host Hugh eq tftp
access-list dmz-vpn permit udp host Munich-VPN host Kvistgaard-ACS eq radius-acct
access-list dmz-vpn permit udp host Munich-VPN host Kvistgaard-ACS eq radius
access-list dmz-vpn permit udp host Munich-VPN host Munich-ACS eq radius
access-list dmz-vpn permit udp host Munich-VPN host Munich-ACS eq radius-acct
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-munich 255.255.255.0
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-berlin 255.255.255.0
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.224
access-list dmz-vpn permit ip 192.168.6.0 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 lan-berlin 255.255.255.0
access-list vpnnonat permit ip 192.168.5.8 255.255.255.248 192.168.5.16 255.255.255.248
access-list vpnnonat permit ip 192.168.5.8 255.255.255.248 192.168.6.128 255.255.255.128
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 192.168.5.16 255.255.255.240
access-list vpnnonat permit ip 192.168.6.0 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list vpnhugh permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0





0
 
huwaAuthor Commented:
here are the acls I really mean, and are the ones "lets say" i would ike to fine tune, as you can see all traffic is permitted

access-list inside permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list inside permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
0
 
jabiiiCommented:
Now these are all permiting only from munich to the other 3 sites, do the other three sites need to come back to munich?

First thing I would suggest is making a list on paper of all the ports you know need to be opened, and between which sites, and in what direction.

Like do all 3 different sites need to come back to munich for DNS or telnet? or Munich to them on www or SSH(22) ?

and then once you have that, make the ACLS that apply for those sites and the directions needed. It makes life much easier when drawn out on paper.

like access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs only allows xxx access to extern on port tacas, but not extern to xxx on tacacs etc...

Jim
0
 
huwaAuthor Commented:
Now these are all permiting only from munich to the other 3 sites, do the other three sites need to come back to munich? Yes, and are at the moment
access-list inside permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
access-list inside permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0

access-list inside permit ip lan-Kvistgaard 255.255.255.0 lan-Munich 255.255.255.0
access-list inside permit ip lan-Kvistgaard 255.255.255.0 lan-hugh 255.255.255.0
access-list inside permit ip lan-Kvistgaard 255.255.255.0 lan-berlin 255.255.255.0

and so on ...... lan_berlin is the same  (lan_hugh is my home pix 501, just have a tunnel to munich don worry about that 1)

First thing I would suggest is making a list on paper of all the ports you know need to be opened, and between which sites, and in what direction.----

basically what i have done list above  FTP, telnet, smtp, WINS, DNS, DHCP, TFTP, www, kerbos, NTP, netbios (139), IMAP, LDAP, HTTPS, DFS, Isakmp, UNP, MOM, MADCAP, GAS, RDP, AD, Exchange, Dameware, Safeboot, Synexsys, dell.--- in all directions (basically for replication of Active directory, DNS if any admin makes a changes to the intern dns (or client self updates dns it is replicated to all 3 sites, it is microsoft dns active directory intergrated, we have routing groups for mail on all 3 sites, intranet homepage is in kvistgaard, we have also www pages in munich that all 3 sites need to access, owa FE mail server munich berlin to rest of sites I would need a few less acls.



Like do all 3 different sites need to come back to munich for DNS or telnet? or Munich to them on www or SSH(22) ? same as above answer

and then once you have that, make the ACLS that apply for those sites and the directions needed. It makes life much easier when drawn out on paper.

like access-list outside permit tcp host xxx.xxx.xxx.xxx host acs-extern eq tacacs only allows xxx access to extern on port tacas, but not extern to xxx on tacacs etc...

Jim

Ok jIm thanks for your time, :-)
so just to make sure i am clear on this
when I have my acls sorted out be more or less like 1st post minus this line access-list bnit deny ip lan-bnit 255.255.255.0 lan-munich 255.255.255.0
and minus these 3 lines that I have in pix now
no access-list inside permit ip lan-munich 255.255.255.0 lan-kvistgaard 255.255.255.0
no access-list inside permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
no access-list inside permit ip lan-munich 255.255.255.0 lan-berlin 255.255.255.0
 
Then all other ports will be denied by default between sites.

I thank you again for giving so much time to this :-)

Best Regards
Hugh
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now