Solved

Pix 501 access-list

Posted on 2006-11-08
5
544 Views
Last Modified: 2013-11-16
I have the following networks.

HQ =        172.16.0.0/16
Outside = 192.168.1.0 - 192.168.12.0/24

I need to create an access list that will prevent the range 192.168.4.240 - 192.168.4.255 from talking to any of those networks.

I started off with this ( access-list 125 deny tcp 192.168.4.239 0.0.0.254 host 172.16.2.0 0.0.255.255 )

can someone help me out with this one.
0
Comment
Question by:learn2earn
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:devnull22
ID: 17905984
I'm willing to help, but I need a bit more info on this, can you post your config here?

If not, I think I understand that you wanna restrict the range 192.168.4.240 - 192.168.4.255 that is on the outside interface to talk to anything on the pix, or behind it, no?

so

     192.168.1.0/24 - 192.168.12.0/24
                              |
                        Pix Outside
                         |              |
                         Pix Inside
                               |
                     172.16.0.0/16

And you want people from the outside to be denied if they try to reach 172.16.0.0/16, but only if they're in the range 192.168.4.240 - 192.168.4.255?

If I'm right, you only need a line like this:

access-list 125 deny ip 192.168.4.240 255.255.255.240 172.16.0.0 255.255.0.0
access-group 125 in interface outside

Unlike the cisco routers with IOS, the netmasks are not inversed, so the spelling is important.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 125 total points
ID: 17906250
A slight modification to the above. After making the access-list none of your outside machines will be able to communicate since the first line denies the machines you wanted and it also denies everything else by the implicit deny statement. So after the first line, add 'permit' for all the networks you want.

access-list 125 deny ip 192.168.4.240 255.255.255.240 172.16.0.0 255.255.0.0
access-list 125 permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 125 permit ip 192.168.2.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 125 permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
.
.... etc...

Cheers,
Rajesh
0
 
LVL 1

Expert Comment

by:devnull22
ID: 17906451
true, forgot about that, since I usually deny everything from the outside.

Anyways, an easier way would be to deny, like I said, but if everything else should be allowed (since I don't see much reason to block only this segment, and not the rest) a line like

access-list 125 permit ip any any

would work.

Depending on what is really wanted, my answer will change though.
0
 
LVL 2

Author Comment

by:learn2earn
ID: 17908719
HQ= 172.16.0.0 /16
Outside = 192.168.1.0 -192.168.12.0 /24
 
                     ______________       ______________                                         _____________
 MPLS cloud --|2800 router    |  ---  | 4506 switch    |--inside--192.168.4.240 --  |  Pix 501          |--outside (Internet) DSL
                     ______________       ______________                                         _____________
                        |
                        |
This is allowed to talk to 172.16.0.0     | 192.168.4.1 -192.168.4.239 |

My company is renting space to a client.  The client is assigned the 192.168.4.240 - 255 range.  We do not want his traffic to talk to ours.
So he bought a pix to seperate his traffic from ours. He has his own DSL line for internet.  I would like to still be able to talk to his network for
trouble shooting purposes.

So would this access list work but on my INSIDE interface ( access-list 125 deny ip 192.168.4.240 255.255.255.240 172.16.0.0 255.255.0.0 )
                                                                                   ( access-group 125 in interface inside )


Keep in mind that I still need to connect to him for trouble shooting coming from any address in my network.
0
 
LVL 2

Author Comment

by:learn2earn
ID: 17908743
By the way 192.168.4.1 - 192.168.4.255 is connected to the Cisco 4506 switch.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now