Solved

I added NTP access rule (inside to outside) and cut-off internet access

Posted on 2009-05-16
3
266 Views
Last Modified: 2012-05-07
Here is the relevant code from my running config:

I'm also curious about the "nat (inside) 0 access-list inside_nat0_outbound" statement's affect since it wasn't mentioned above.

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list VPN_Split-Tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit udp any any eq ntp

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_in in interface outside


Thank you for your time and expertise!

Dave
0
Comment
Question by:snchelpdesk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 24404955
hey Dave

The problem is that when you added your access-list, its the first one you have applied to the inside interface.  Access-lists work by allowing/denying all traffic you stipulate and then they have an intrinsic deny all at the end.  So essentially what you have told the PIX to do is - all all udp traffic out for ntp protocol and block everything else!
To fix your internet access, just remove the application of this access-list by typing
conf t
no access-group inside_access_out out interface inside

As inside to outside traffic does not *need* (See below)  an access-list persay you don't need to allow ntp for inside to outside but I don't know why you would be allowing ntp from inside to out anyway.  
Can you advise what you are trying to achieve here?

Re your nat0 access-list I am guessing you had a site to site VPN that this is setup for as you are allowing any to a private ip range?

*******Inside to outside traffic is allowed by default as inside is a more secure interface than outside.  Unless you want to add an inside access-list to deny certain traffic out (or only allow certain protocols out) you don't *need* an access-list here.

cheers

0
 

Author Comment

by:snchelpdesk
ID: 24405899
Thank you for your explanation - I didn't realize the ACL's worked like a funnel - the problem is on the GUI the default implicit  "allow any less secure" is replaced by the explicit "allow port 123".

What I originally attempted to do was allow access from my MS DC to an external time source.  We were getting the infamous "no data available" message and one of the resolutions was to allow TCP & UDP traffic through port 123.  Referring to suggestion:  " forward port 123 (SNTP) to your domain controllers IP, both TCP and UDP on your firewall"

Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

Thanks again for sharing your expertise - Dave
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 24407781
No worries mate
<<Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

If you want to allow in external ntp - all you need to do is allow it in from the outside - outgoing will work already when you don't have the access-list on the inside.  

cheers
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question