We help IT Professionals succeed at work.

Appling Access Lists to PIX

colmbowler
colmbowler asked
on
540 Views
Last Modified: 2012-05-05
Have I applyed these access -list correctly. It is on a PIX firewall so I need themto be correct. Is it secure????


object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object icmp
 protocol-object pim
 protocol-object pcp
 protocol-object snp
 protocol-object udp
 protocol-object igmp
 protocol-object ipinip
 protocol-object gre
 protocol-object esp
 protocol-object ah
 protocol-object icmp6
 protocol-object tcp
 protocol-object eigrp
 protocol-object ospf
 protocol-object igrp
 protocol-object nos
object-group network DM_INLINE_NETWORK_3
 network-object host AS
 network-object host x.x.x.x
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object esp
 service-object udp eq isakmp
 service-object tcp eq 10000
 service-object udp eq 4500
object-group service DM_INLINE_SERVICE_2
 service-object esp
 service-object udp eq 4500
 service-object udp eq isakmp
 service-object tcp eq 10000
object-group network DM_INLINE_NETWORK_1
 network-object host SG
 network-object host AS
 network-object host x.x.x.x
object-group network DM_INLINE_NETWORK_2
 network-object host AS
 network-object host x.x.x.x
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
access-list SGX-access extended permit ip x.x.0.0 255.255.0.0 host SG
access-list SGX-access extended permit tcp any host AS inactive
access-list outside_access_in_1 extended deny object-group DM_INLINE_PROTOCOL_2 any any log alerts
access-list outside_access_in_1 remark AS
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_2 x.x.0.0 255.255.0.0
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 x.x.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_3 log alerts
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 x.x.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1
WORK_1
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image flash:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 x.x.0.0 255.255.0.0
access-group outside_access_in_1 in interface outside
access-group inside_access_in_1 in interface inside

Comment
Watch Question

Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Are they correct? No
Are you secure? Yes - because nobody is going to talk to anybody.
I say that because your first line is a deny of the protocol group where TCP/UDP are both included. That means that you are not letting anyone or anything in.
Remember the rules of acls.
1. each line is evaluated from top down until first match - not best match - every time
2. There is always an implied deny all at the end of every acl

Author

Commented:
How about now???

object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_4
object-group network DM_INLINE_NETWORK_1
 network-object host S-Their-Host
 network-object host A-Their-Host
 network-object host Y.Y.Y.Y
object-group network DM_INLINE_NETWORK_2
 network-object X.X.X.X 255.255.0.0
 network-object host Z.Z.Z.Z
object-group network DM_INLINE_NETWORK_3
 network-object host A-Their-Host
 network-object host Y.Y.Y.Y
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object tcp eq 10000
 service-object udp eq 4500
 service-object udp eq isakmp
access-list S-nat0 extended permit ip object-group DM_INLINE_NETWORK_2 host S-Their-Host
access-list S-access extended permit ip X.X.X.X 255.255.0.0 host S-Their-Host
access-list S-access extended permit ip Z.Z.Z.Z 255.255.255.0 host S-Their-Host
access-list S-access extended permit tcp any host A-Their-Host
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 X.X.X.X 255.255.0.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 X.X.X.X 255.255.0.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip any any
Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I have made some inactive see below. Will this work and be secure. What I am trying to do is allow an inside network to allow a cisco VPN client on both windows and sloaris boxes access to an ouside network. The ports that need to be open are
tcp 10000
udp 4500
esp
udp isakmp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_4
object-group network DM_INLINE_NETWORK_1
 network-object host S-Their-Host
 network-object host A-Their-Host
 network-object host Y.Y.Y.Y
object-group network DM_INLINE_NETWORK_2
 network-object X.X.X.X 255.255.0.0
 network-object host Z.Z.Z.Z
object-group network DM_INLINE_NETWORK_3
 network-object host A-Their-Host
 network-object host Y.Y.Y.Y
object-group service DM_INLINE_SERVICE_1
 service-object esp
 service-object tcp eq 10000
 service-object udp eq 4500
 service-object udp eq isakmp
access-list S-nat0 extended permit ip object-group DM_INLINE_NETWORK_2 host S-Their-Host inactive
access-list S-access extended permit ip X.X.X.X 255.255.0.0 host S-Their-Host inactive
access-list S-access extended permit ip Z.Z.Z.Z 255.255.255.0 host S-Their-Host inactive
access-list S-access extended permit tcp any host A-Their-Host inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 X.X.X.X 255.255.0.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 X.X.X.X 255.255.0.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip any any inactive

The networks also need to be NAT'd .

Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.