Solved

I added NTP access rule (inside to outside) and cut-off internet access

Posted on 2009-05-16
3
269 Views
Last Modified: 2012-05-07
Here is the relevant code from my running config:

I'm also curious about the "nat (inside) 0 access-list inside_nat0_outbound" statement's affect since it wasn't mentioned above.

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list VPN_Split-Tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit udp any any eq ntp

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_in in interface outside


Thank you for your time and expertise!

Dave
0
Comment
Question by:snchelpdesk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 24404955
hey Dave

The problem is that when you added your access-list, its the first one you have applied to the inside interface.  Access-lists work by allowing/denying all traffic you stipulate and then they have an intrinsic deny all at the end.  So essentially what you have told the PIX to do is - all all udp traffic out for ntp protocol and block everything else!
To fix your internet access, just remove the application of this access-list by typing
conf t
no access-group inside_access_out out interface inside

As inside to outside traffic does not *need* (See below)  an access-list persay you don't need to allow ntp for inside to outside but I don't know why you would be allowing ntp from inside to out anyway.  
Can you advise what you are trying to achieve here?

Re your nat0 access-list I am guessing you had a site to site VPN that this is setup for as you are allowing any to a private ip range?

*******Inside to outside traffic is allowed by default as inside is a more secure interface than outside.  Unless you want to add an inside access-list to deny certain traffic out (or only allow certain protocols out) you don't *need* an access-list here.

cheers

0
 

Author Comment

by:snchelpdesk
ID: 24405899
Thank you for your explanation - I didn't realize the ACL's worked like a funnel - the problem is on the GUI the default implicit  "allow any less secure" is replaced by the explicit "allow port 123".

What I originally attempted to do was allow access from my MS DC to an external time source.  We were getting the infamous "no data available" message and one of the resolutions was to allow TCP & UDP traffic through port 123.  Referring to suggestion:  " forward port 123 (SNTP) to your domain controllers IP, both TCP and UDP on your firewall"

Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

Thanks again for sharing your expertise - Dave
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 24407781
No worries mate
<<Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

If you want to allow in external ntp - all you need to do is allow it in from the outside - outgoing will work already when you don't have the access-list on the inside.  

cheers
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question