?
Solved

How do I allow a list of IP's access to the web and ftp and block the rest?

Posted on 2007-08-10
5
Medium Priority
?
358 Views
Last Modified: 2013-11-29
A division has decided to put a server up on the inside of our network.  We do not have a full IT staff.  I was hesitant to even mess with the original configuration of our firewall.  The company that set up the Pix is no longer around.  I have access to the pix via HyperTerminal.  I know some basic CLI commands.

With that said what has been requested is to block all ip's except our two remote offices and two home static ip's.  I have the list of the ip's which are ok.  I don't know how to add certain ip's to the ACL (?) and block the rest.

For example:  I want to add 24.7.12.173 to allow access to the ftp and the internal web server.  What lines would I add?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XX
passwd XX
hostname mypix
domain-name dublin.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 67.94.6.106 SacramentoPix
access-list firewall deny tcp any any eq 6969
access-list firewall permit udp any host 12.108.16.45 eq 3389
access-list firewall permit tcp any host 12.108.16.45 eq 3389
access-list firewall permit tcp any host 12.108.16.43 eq 3389
access-list firewall permit udp any host 12.108.16.43 eq 3389
<b>access-list firewall permit udp any host 12.108.16.44 eq www
<b>access-list firewall permit tcp any host 12.108.16.44 eq www
access-list firewall permit tcp any host 12.108.16.44 eq ftp </b><i>Internal server</i>
pager lines 24
icmp permit 67.94.6.104 255.255.255.248 outside
icmp permit host 10.0.9.254 outside
icmp permit host 12.108.16.45 outside
icmp permit host SacramentoPix outside
icmp permit host 67.94.6.107 outside
icmp permit host 67.94.6.108 outside
icmp permit host 67.94.6.109 outside
icmp permit host 67.94.6.110 outside
icmp permit host 12.108.16.42 outside
icmp permit host 10.0.9.254 inside
icmp permit host 12.108.16.45 inside
icmp permit 10.0.9.0 255.255.255.0 inside
icmp permit any inside
icmp permit host 12.108.16.42 inside
mtu outside 1500
mtu inside 1500
ip address outside 12.108.16.42 255.255.255.248
ip address inside 10.0.9.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.9.246 255.255.255.255 inside
pdm location 10.0.9.252 255.255.255.255 inside
pdm location 10.0.9.253 255.255.255.255 inside
pdm location 10.0.9.254 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.108.16.45 10.0.9.254 netmask 255.255.255.255 0 0
static (inside,outside) 12.108.16.43 10.0.9.225 netmask 255.255.255.255 0 0
static (inside,outside) 12.108.16.44 10.0.9.201 netmask 255.255.255.255 0 0
access-group firewall in interface outside
route outside 0.0.0.0 0.0.0.0 12.108.16.41 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.9.0 255.255.255.0 inside
http 10.0.9.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.9.0 255.255.255.0 inside
telnet SacramentoPix 255.255.255.255 inside
telnet 67.94.6.107 255.255.255.255 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 10.0.9.50-10.0.9.125 inside
dhcpd dns 12.12.17.83 12.12.16.83
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain grinc.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

List of ok ip's:
Sacramento Office Ips:
67.94.6.106
67.94.6.107
67.94.6.108
67.94.6.109
67.94.6.110

SantaRosa Ip:
12.121.2.21

Personal (home) static Ip:
67.160.23.68


0
Comment
Question by:ShortChop
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 19672516
Easiest would be to create a network object group like:

object-group network goodhosts
   network-object host 67.94.6.106
   network-object host 67.94.6.107
   network-object host 67.94.6.108

and so on for each host you want to allow inbound access to your servers.  Then add the access lists like:

access-list firewall extended permit tcp object-group goodhosts gt 1023 "ftpserver address" eq 21
access-list firewall extended permit tcp object-group goodhosts gt 1023 "webserver address" eq 80
 
0
 

Author Comment

by:ShortChop
ID: 19700158
Giltjr,
object-group network goodhosts
  network-object host 67.94.6.106
  network-object host 67.94.6.107
  network-object host 67.94.6.108
  network-object host 67.94.6.109
  network-object host 67.94.6.110
  network-object host 12.121.2.21
  network-object host 67.160.23.68

First part no problem but now I get:
Pix(config)# access-list firewall extended permit tcp object-group goodhosts gt 1023 10.0.9.201 eq 21
ERROR:<extended> not a valid permission
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}

So I tried:
access-list firewall_extended permit tcp object-group goodhosts gt 1023 10.0.9.201 eq 21
and got:
ERROR: invalid IP address eq
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
0
 
LVL 57

Expert Comment

by:giltjr
ID: 19700514
Try removing the word extended.

access-list firewall permit tcp object-group goodhosts gt 1023 "ftpserver address" eq 21
access-list firewall permit tcp object-group goodhosts gt 1023 "webserver address" eq 80
0
 

Author Comment

by:ShortChop
ID: 19700718
giltjr,
After removing the extended I got the
ERROR: invalid IP address eq

so in between the ip and eq I put a subnet mask 255 and it looks like it worked.  

Is the .255 ignore or exact match?  Should it have been 0.0.0.0 ?
Entered As:
access-list firewall permit tcp object-group goodhosts gt 1023 10.0.9.201 255.255.255.255 eq 21
access-list firewall permit tcp object-group goodhosts gt 1023 10.0.9.201 255.255.255.255 eq 80

The sh ru:
access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq ftp
access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq www
pager lines 24
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 19700925
I though that "extended" was valid under 6.3 (I am running 7.x), but checking the documentation it is not valid.  That is why it did not work.

The mask 255.255.255.255, is correct that is saying you want an exact match.  Using "10.0.9.201 255.255.255.255" is the same as:

access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq 21
access-list firewall permit tcp object-group goodhosts gt 1023 host 10.0.9.201 eq 80

Which as you see is what ends up being used.

This is what happens when you try to this from memory (and a bad one at that).  :)
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month17 days, 6 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question