Solved

I added NTP access rule (inside to outside) and cut-off internet access

Posted on 2009-05-16
3
257 Views
Last Modified: 2012-05-07
Here is the relevant code from my running config:

I'm also curious about the "nat (inside) 0 access-list inside_nat0_outbound" statement's affect since it wasn't mentioned above.

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list VPN_Split-Tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit udp any any eq ntp

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_in in interface outside


Thank you for your time and expertise!

Dave
0
Comment
Question by:snchelpdesk
  • 2
3 Comments
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
hey Dave

The problem is that when you added your access-list, its the first one you have applied to the inside interface.  Access-lists work by allowing/denying all traffic you stipulate and then they have an intrinsic deny all at the end.  So essentially what you have told the PIX to do is - all all udp traffic out for ntp protocol and block everything else!
To fix your internet access, just remove the application of this access-list by typing
conf t
no access-group inside_access_out out interface inside

As inside to outside traffic does not *need* (See below)  an access-list persay you don't need to allow ntp for inside to outside but I don't know why you would be allowing ntp from inside to out anyway.  
Can you advise what you are trying to achieve here?

Re your nat0 access-list I am guessing you had a site to site VPN that this is setup for as you are allowing any to a private ip range?

*******Inside to outside traffic is allowed by default as inside is a more secure interface than outside.  Unless you want to add an inside access-list to deny certain traffic out (or only allow certain protocols out) you don't *need* an access-list here.

cheers

0
 

Author Comment

by:snchelpdesk
Comment Utility
Thank you for your explanation - I didn't realize the ACL's worked like a funnel - the problem is on the GUI the default implicit  "allow any less secure" is replaced by the explicit "allow port 123".

What I originally attempted to do was allow access from my MS DC to an external time source.  We were getting the infamous "no data available" message and one of the resolutions was to allow TCP & UDP traffic through port 123.  Referring to suggestion:  " forward port 123 (SNTP) to your domain controllers IP, both TCP and UDP on your firewall"

Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

Thanks again for sharing your expertise - Dave
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
Comment Utility
No worries mate
<<Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

If you want to allow in external ntp - all you need to do is allow it in from the outside - outgoing will work already when you don't have the access-list on the inside.  

cheers
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now