?
Solved

I added NTP access rule (inside to outside) and cut-off internet access

Posted on 2009-05-16
3
Medium Priority
?
272 Views
Last Modified: 2012-05-07
Here is the relevant code from my running config:

I'm also curious about the "nat (inside) 0 access-list inside_nat0_outbound" statement's affect since it wasn't mentioned above.

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list VPN_Split-Tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit udp any any eq ntp

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_in in interface outside


Thank you for your time and expertise!

Dave
0
Comment
Question by:snchelpdesk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 24404955
hey Dave

The problem is that when you added your access-list, its the first one you have applied to the inside interface.  Access-lists work by allowing/denying all traffic you stipulate and then they have an intrinsic deny all at the end.  So essentially what you have told the PIX to do is - all all udp traffic out for ntp protocol and block everything else!
To fix your internet access, just remove the application of this access-list by typing
conf t
no access-group inside_access_out out interface inside

As inside to outside traffic does not *need* (See below)  an access-list persay you don't need to allow ntp for inside to outside but I don't know why you would be allowing ntp from inside to out anyway.  
Can you advise what you are trying to achieve here?

Re your nat0 access-list I am guessing you had a site to site VPN that this is setup for as you are allowing any to a private ip range?

*******Inside to outside traffic is allowed by default as inside is a more secure interface than outside.  Unless you want to add an inside access-list to deny certain traffic out (or only allow certain protocols out) you don't *need* an access-list here.

cheers

0
 

Author Comment

by:snchelpdesk
ID: 24405899
Thank you for your explanation - I didn't realize the ACL's worked like a funnel - the problem is on the GUI the default implicit  "allow any less secure" is replaced by the explicit "allow port 123".

What I originally attempted to do was allow access from my MS DC to an external time source.  We were getting the infamous "no data available" message and one of the resolutions was to allow TCP & UDP traffic through port 123.  Referring to suggestion:  " forward port 123 (SNTP) to your domain controllers IP, both TCP and UDP on your firewall"

Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

Thanks again for sharing your expertise - Dave
0
 
LVL 19

Accepted Solution

by:
nodisco earned 1500 total points
ID: 24407781
No worries mate
<<Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

If you want to allow in external ntp - all you need to do is allow it in from the outside - outgoing will work already when you don't have the access-list on the inside.  

cheers
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question