[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 517
  • Last Modified:

How Do I add an Access list to my PIX firewalls

I need to add an access list and have been given the following information:

UDP    xxx.xx.xxx.xx:50 and 4500
           xxx.xx.xxx.xx Protocol ESP

remote_client_address:any   <----> xxx.xx.xxx.xx:500 and 4500

IPsec traffic
ESP/IP (Protocol 50)
remote_client_address <---> xxx.xx.xxx.xx

I understand the difference between ports and protocols.

I have a internal PIX 506e and external PIX 501
0
ecoder007
Asked:
ecoder007
  • 4
  • 2
1 Solution
 
stsonlineCommented:
Herre are examples, modify them for your specific setup and they should work:

Allows UDP port 500 and 4500 on outside interface assuming ACL named 'outside_acl'
access-list outside_acl permit udp host 10.1.2.3 host 204.146.219.1 eq 500
access-list outside_acl permit udp host 10.1.2.3 host 204.146.219.1 eq 4500

Allow ESP protocol, same as above
access-list outside_acl permit esp host 10.1.2.3 host 204.146.219.1
0
 
ecoder007Author Commented:

thanks stsonline do I do all of this on my external pix?

0
 
maudib031397Commented:
Also, of interest should be that there is an explicit deny at the enc of the ACL.

Rules for the outside interface only deal with incoming traffic. These rules will need to be modified and included in "inside_acl" for inside to outside traffic if needed.
Just my 2c
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
ecoder007Author Commented:
When you say
Allow ESP protocol, same as above
access-list outside_acl permit esp host 10.1.2.3 host 204.146.219.1
Do I need to then add this.
access-list outside_acl permit udp host 10.1.2.3 host 204.146.219.1 eq 500
access-list outside_acl permit udp host 10.1.2.3 host 204.146.219.1 eq 4500
access-list outside_acl permit esp host 10.1.2.3 host 204.146.219.1
 
Sorry for my misunderstanding
0
 
ecoder007Author Commented:
My acls have explicit denies

access-list acl-outside deny ip any any
 
access-list acl-inside deny ip any any
 
0
 
ecoder007Author Commented:

Where do I apply the lines below:
Allows UDP port 500 and 4500 on outside interface assuming ACL named 'outside_acl'
access-list outside_acl permit udp host 10.1.2.3 host 204.146.219.1 eq 500
access-list outside_acl permit udp host 10.1.2.3 host 204.146.219.1 eq 4500

Allow ESP protocol, same as above
access-list outside_acl permit esp host 10.1.2.3 host 204.146.219.1
A) on my external pix - Inside interface
B) on my external pix - Outside interface
C) on my internal pix - Inside interface
D) on my internal pix - Outside interface
0
 
maudib031397Commented:
I am sorry, you are right, those are explicit denies.
Without adding any lines to deny traffic, these access-lists also have "implicit" denies.
Which means you can't actually see them, but they are there at the end of the ACL.
Cisco Standard is implicit deny at the end of an ACL unless its a route map.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now