[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 842
  • Last Modified:

access-lists are not working

I can not figure out why my access-lists are not working.
I think it my be a nat or routing issue but do not know enough about routing to determine.

cisco-pix(config)# sho route
        outside 0.0.0.0 0.0.0.0 71.39.227.222 1 OTHER static                                    // What is this line doing? Is this the address that internal comps use for an IP on the internet?
        outside 71.39.227.216 255.255.255.248 71.39.227.217 1 CONNECT static       // 71.39.227.217 is the outside IP address of the PIX
        inside 192.168.4.0 255.255.255.0 192.168.4.1 1 CONNECT static



Is this line translating everything from the outside to a 192.168.4.xxx address?
cisco-pix(config)# sho nat
nat (inside) 1 192.168.4.0 255.255.255.0 0 0



If everything above is correct, shouldn't the opened ports following work?
cisco-pix(config)# show static
static (inside,outside) 71.39.227.218 192.168.4.137 netmask 255.255.255.255 0 0
static (inside,outside) 71.39.227.219 192.168.4.135 netmask 255.255.255.255 0 0
static (inside,outside) 71.39.227.220 192.168.4.132 netmask 255.255.255.255 0 0

cisco-pix(config)# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list inbound; 1 elements
access-list inbound line 1 permit icmp any any (hitcnt=0)
access-list outside; 12 elements
access-list outside line 1 permit icmp any any echo-reply (hitcnt=0)
access-list outside line 2 permit tcp any host 71.39.227.218 eq ssh (hitcnt=0)
access-list outside line 3 permit tcp any host 71.39.227.218 eq domain (hitcnt=0)
access-list outside line 4 permit tcp any host 71.39.227.218 eq www (hitcnt=0)
access-list outside line 5 permit icmp any host 71.39.227.218 echo-reply (hitcnt=0)
access-list outside line 6 permit tcp any host 71.39.227.219 eq ssh (hitcnt=0)
access-list outside line 7 permit tcp any host 71.39.227.219 eq domain (hitcnt=0)
access-list outside line 8 permit tcp any host 71.39.227.219 eq www (hitcnt=0)
access-list outside line 9 permit icmp any host 71.39.227.219 echo-reply (hitcnt=0)
access-list outside line 10 permit tcp any host 71.39.227.220 eq 3389 (hitcnt=0)
access-list outside line 11 permit tcp any host 71.39.227.220 eq www (hitcnt=0)
access-list outside line 12 permit icmp any host 71.39.227.220 echo-reply (hitcnt=0)

0
brentrussell
Asked:
brentrussell
  • 2
  • 2
  • 2
2 Solutions
 
stressedout2004Commented:
**outside 0.0.0.0 0.0.0.0 71.39.227.222 1 OTHER static  

>>>This is the configured default gateway of the PIX define by the command route outside 0.0.0.0 0.0.0.0 71.39.227.222. This is what the PIX used to route all traffic for internet and all other traffic.

***Is this line translating everything from the outside to a 192.168.4.xxx address?
cisco-pix(config)# sho nat
nat (inside) 1 192.168.4.0 255.255.255.0 0 0

>>>No, this line comes in pair with a global statement which translate traffic FROM the 192.168.4.x to another
IP define by the global statement. (show global) Use for outgoing traffic, not incoming.

***If everything above is correct, shouldn't the opened ports following work?
It should, but obviously something else is not.

Is this a new configuration?

From the PIX itself, can you ping its default gateway 71.39.227.222 or any internet address such
as 4.2.2.2?

Can you browse the internet from any of the servers above with static IP addresses (e.g 192.168.4.137)?
We have to verify first if the static translation is working.

Can you post your PIX entire configuration? If not can you post the output of "show run | include access-group".



0
 
Cyclops3590Commented:
as for the show route
line 1) default route - also referred to as route of last resort
line 2) outside segment
line 3 ) inside segment

show nat
there should be a "global (outside) 1" line
What this means is that the nat inside for 1 matches with global 1 and does a nat based on that match

as for the access-lists are there any access-group lines binding those lists to your interfaces.
Also, remember that you shouldn't put an access-list on your inside interface unless you want to firewall some traffic from that segment.  The reason is that by default it will allow everything going from a higher security int to a lower one.  If you apply an access-list, it will allow that stuff, but then append an implicit deny all at the end of that list for the interface.
also, it looks like line 5,9,and 12 are duplicates of what line 1 does. as long as the access-list is applied you look like it should be fine.
0
 
brentrussellAuthor Commented:
Cyclops3590, stressedout2004, your comments and help is much appriciated!
 
1. Yes this is a new configuration (about a week old). It used to work but I have messed with it since. It is also a new cisco user :)
2. As shown below there is a global (outside) 1 interface
3. When on one of the servers with an IP of 192.168.4.137 I can get out to the internet. when bypassing the cisco and going straight to the modem the ip address 71.39.227.218 does work when staticly assigned.
4. I do not have an access-group and I do think that is where the issue lies as I remember a week ago having that in there. I have messed with it since and it is not in there now. However I do not remember the syntax or what I should be using for IP's.

cisco-pix# sho run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sdfsadfadsfdsafsadf encrypted
passwd sadfasdfsadfasdf encrypted
hostname cisco-pix
domain-name namlot.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list inbound permit icmp any any
access-list outside permit icmp any any echo-reply
access-list outside permit tcp any host 71.39.227.218 eq ssh
access-list outside permit tcp any host 71.39.227.218 eq domain
access-list outside permit tcp any host 71.39.227.218 eq www
access-list outside permit icmp any host 71.39.227.218 echo-reply
access-list outside permit tcp any host 71.39.227.219 eq ssh
access-list outside permit tcp any host 71.39.227.219 eq domain
access-list outside permit tcp any host 71.39.227.219 eq www
access-list outside permit icmp any host 71.39.227.219 echo-reply
access-list outside permit tcp any host 71.39.227.220 eq 3389
access-list outside permit tcp any host 71.39.227.220 eq www
access-list outside permit icmp any host 71.39.227.220 echo-reply
pager lines 24
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 71.39.227.217 255.255.255.248
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
static (inside,outside) 71.39.227.218 192.168.4.137 netmask 255.255.255.255 0 0
static (inside,outside) 71.39.227.219 192.168.4.135 netmask 255.255.255.255 0 0
static (inside,outside) 71.39.227.220 192.168.4.132 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 71.39.227.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.4.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet 192.168.4.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:4fe480561a2a2a7389051bd37bf97367
: end        
cisco-pix#    
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
stressedout2004Commented:
Add the following command:

access-group outside in interface outside

That will bind the access-list named outside to the PIX outside interface.
After you add that commad, run the following command on the PIX as well.

clear xlate
clear arp

To refresh the PIX session table. Now to test this, be sure that the server  192.168.4.137  is able to browse
the internet from BEHIND the PIX (don't bypass the PIX). If it is not able to go out to the internet, then check if
you can reach the internet from the PIX itself. To check this, just do the following:

ping 71.39.227.222
ping 4.2.2.2

The first one is the default gateway, the 2nd one is an internet IP.






0
 
Cyclops3590Commented:
also do the following:

no access-list inbound permit icmp any any
no access-list outside permit icmp any host 71.39.227.218 echo-reply
no access-list outside permit icmp any host 71.39.227.219 echo-reply
no access-list outside permit icmp any host 71.39.227.220 echo-reply

that will clean up lines of config you don't need
line 1 isn't used, and 2 thru three is already covered by your
access-list outside permit icmp any any echo-reply
entry.
and then

no fixup protocol smtp 25

In my experience that line screws things up more than it helps since it doesn't understand ESMTP talk and as a result rejects it, so you're better off turning smtp inspection off.

0
 
brentrussellAuthor Commented:
That worked stressedout2004 !

All I had to do was add in the access-group and it was working. I am sure I had that in there before. I must have deleted it.


Even though the following was not my question it was helpful, I learned something, and was able to clean things up a bit so i awarded some points as a asisted answer
no access-list inbound permit icmp any any
no access-list outside permit icmp any host 71.39.227.218 echo-reply
no access-list outside permit icmp any host 71.39.227.219 echo-reply
no access-list outside permit icmp any host 71.39.227.220 echo-reply


Thanks to the both of you for your help!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now