ShortChop
asked on
How do I allow a list of IP's access to the web and ftp and block the rest?
A division has decided to put a server up on the inside of our network. We do not have a full IT staff. I was hesitant to even mess with the original configuration of our firewall. The company that set up the Pix is no longer around. I have access to the pix via HyperTerminal. I know some basic CLI commands.
With that said what has been requested is to block all ip's except our two remote offices and two home static ip's. I have the list of the ip's which are ok. I don't know how to add certain ip's to the ACL (?) and block the rest.
For example: I want to add 24.7.12.173 to allow access to the ftp and the internal web server. What lines would I add?
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XX
passwd XX
hostname mypix
domain-name dublin.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 67.94.6.106 SacramentoPix
access-list firewall deny tcp any any eq 6969
access-list firewall permit udp any host 12.108.16.45 eq 3389
access-list firewall permit tcp any host 12.108.16.45 eq 3389
access-list firewall permit tcp any host 12.108.16.43 eq 3389
access-list firewall permit udp any host 12.108.16.43 eq 3389
<b>access-list firewall permit udp any host 12.108.16.44 eq www
<b>access-list firewall permit tcp any host 12.108.16.44 eq www
access-list firewall permit tcp any host 12.108.16.44 eq ftp </b><i>Internal server</i>
pager lines 24
icmp permit 67.94.6.104 255.255.255.248 outside
icmp permit host 10.0.9.254 outside
icmp permit host 12.108.16.45 outside
icmp permit host SacramentoPix outside
icmp permit host 67.94.6.107 outside
icmp permit host 67.94.6.108 outside
icmp permit host 67.94.6.109 outside
icmp permit host 67.94.6.110 outside
icmp permit host 12.108.16.42 outside
icmp permit host 10.0.9.254 inside
icmp permit host 12.108.16.45 inside
icmp permit 10.0.9.0 255.255.255.0 inside
icmp permit any inside
icmp permit host 12.108.16.42 inside
mtu outside 1500
mtu inside 1500
ip address outside 12.108.16.42 255.255.255.248
ip address inside 10.0.9.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.9.246 255.255.255.255 inside
pdm location 10.0.9.252 255.255.255.255 inside
pdm location 10.0.9.253 255.255.255.255 inside
pdm location 10.0.9.254 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.108.16.45 10.0.9.254 netmask 255.255.255.255 0 0
static (inside,outside) 12.108.16.43 10.0.9.225 netmask 255.255.255.255 0 0
static (inside,outside) 12.108.16.44 10.0.9.201 netmask 255.255.255.255 0 0
access-group firewall in interface outside
route outside 0.0.0.0 0.0.0.0 12.108.16.41 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.9.0 255.255.255.0 inside
http 10.0.9.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.9.0 255.255.255.0 inside
telnet SacramentoPix 255.255.255.255 inside
telnet 67.94.6.107 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 10.0.9.50-10.0.9.125 inside
dhcpd dns 12.12.17.83 12.12.16.83
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain grinc.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
List of ok ip's:
Sacramento Office Ips:
67.94.6.106
67.94.6.107
67.94.6.108
67.94.6.109
67.94.6.110
SantaRosa Ip:
12.121.2.21
Personal (home) static Ip:
67.160.23.68
With that said what has been requested is to block all ip's except our two remote offices and two home static ip's. I have the list of the ip's which are ok. I don't know how to add certain ip's to the ACL (?) and block the rest.
For example: I want to add 24.7.12.173 to allow access to the ftp and the internal web server. What lines would I add?
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XX
passwd XX
hostname mypix
domain-name dublin.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 67.94.6.106 SacramentoPix
access-list firewall deny tcp any any eq 6969
access-list firewall permit udp any host 12.108.16.45 eq 3389
access-list firewall permit tcp any host 12.108.16.45 eq 3389
access-list firewall permit tcp any host 12.108.16.43 eq 3389
access-list firewall permit udp any host 12.108.16.43 eq 3389
<b>access-list firewall permit udp any host 12.108.16.44 eq www
<b>access-list firewall permit tcp any host 12.108.16.44 eq www
access-list firewall permit tcp any host 12.108.16.44 eq ftp </b><i>Internal server</i>
pager lines 24
icmp permit 67.94.6.104 255.255.255.248 outside
icmp permit host 10.0.9.254 outside
icmp permit host 12.108.16.45 outside
icmp permit host SacramentoPix outside
icmp permit host 67.94.6.107 outside
icmp permit host 67.94.6.108 outside
icmp permit host 67.94.6.109 outside
icmp permit host 67.94.6.110 outside
icmp permit host 12.108.16.42 outside
icmp permit host 10.0.9.254 inside
icmp permit host 12.108.16.45 inside
icmp permit 10.0.9.0 255.255.255.0 inside
icmp permit any inside
icmp permit host 12.108.16.42 inside
mtu outside 1500
mtu inside 1500
ip address outside 12.108.16.42 255.255.255.248
ip address inside 10.0.9.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.9.246 255.255.255.255 inside
pdm location 10.0.9.252 255.255.255.255 inside
pdm location 10.0.9.253 255.255.255.255 inside
pdm location 10.0.9.254 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.108.16.45 10.0.9.254 netmask 255.255.255.255 0 0
static (inside,outside) 12.108.16.43 10.0.9.225 netmask 255.255.255.255 0 0
static (inside,outside) 12.108.16.44 10.0.9.201 netmask 255.255.255.255 0 0
access-group firewall in interface outside
route outside 0.0.0.0 0.0.0.0 12.108.16.41 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.9.0 255.255.255.0 inside
http 10.0.9.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.9.0 255.255.255.0 inside
telnet SacramentoPix 255.255.255.255 inside
telnet 67.94.6.107 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 10.0.9.50-10.0.9.125 inside
dhcpd dns 12.12.17.83 12.12.16.83
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain grinc.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
List of ok ip's:
Sacramento Office Ips:
67.94.6.106
67.94.6.107
67.94.6.108
67.94.6.109
67.94.6.110
SantaRosa Ip:
12.121.2.21
Personal (home) static Ip:
67.160.23.68
ASKER
Giltjr,
object-group network goodhosts
network-object host 67.94.6.106
network-object host 67.94.6.107
network-object host 67.94.6.108
network-object host 67.94.6.109
network-object host 67.94.6.110
network-object host 12.121.2.21
network-object host 67.160.23.68
First part no problem but now I get:
Pix(config)# access-list firewall extended permit tcp object-group goodhosts gt 1023 10.0.9.201 eq 21
ERROR:<extended> not a valid permission
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
So I tried:
access-list firewall_extended permit tcp object-group goodhosts gt 1023 10.0.9.201 eq 21
and got:
ERROR: invalid IP address eq
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
object-group network goodhosts
network-object host 67.94.6.106
network-object host 67.94.6.107
network-object host 67.94.6.108
network-object host 67.94.6.109
network-object host 67.94.6.110
network-object host 12.121.2.21
network-object host 67.160.23.68
First part no problem but now I get:
Pix(config)# access-list firewall extended permit tcp object-group goodhosts gt 1023 10.0.9.201 eq 21
ERROR:<extended> not a valid permission
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
So I tried:
access-list firewall_extended permit tcp object-group goodhosts gt 1023 10.0.9.201 eq 21
and got:
ERROR: invalid IP address eq
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Try removing the word extended.
access-list firewall permit tcp object-group goodhosts gt 1023 "ftpserver address" eq 21
access-list firewall permit tcp object-group goodhosts gt 1023 "webserver address" eq 80
access-list firewall permit tcp object-group goodhosts gt 1023 "ftpserver address" eq 21
access-list firewall permit tcp object-group goodhosts gt 1023 "webserver address" eq 80
ASKER
giltjr,
After removing the extended I got the
ERROR: invalid IP address eq
so in between the ip and eq I put a subnet mask 255 and it looks like it worked.
Is the .255 ignore or exact match? Should it have been 0.0.0.0 ?
Entered As:
access-list firewall permit tcp object-group goodhosts gt 1023 10.0.9.201 255.255.255.255 eq 21
access-list firewall permit tcp object-group goodhosts gt 1023 10.0.9.201 255.255.255.255 eq 80
The sh ru:
access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq ftp
access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq www
pager lines 24
After removing the extended I got the
ERROR: invalid IP address eq
so in between the ip and eq I put a subnet mask 255 and it looks like it worked.
Is the .255 ignore or exact match? Should it have been 0.0.0.0 ?
Entered As:
access-list firewall permit tcp object-group goodhosts gt 1023 10.0.9.201 255.255.255.255 eq 21
access-list firewall permit tcp object-group goodhosts gt 1023 10.0.9.201 255.255.255.255 eq 80
The sh ru:
access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq ftp
access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq www
pager lines 24
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
object-group network goodhosts
network-object host 67.94.6.106
network-object host 67.94.6.107
network-object host 67.94.6.108
and so on for each host you want to allow inbound access to your servers. Then add the access lists like:
access-list firewall extended permit tcp object-group goodhosts gt 1023 "ftpserver address" eq 21
access-list firewall extended permit tcp object-group goodhosts gt 1023 "webserver address" eq 80