Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

I added NTP access rule (inside to outside) and cut-off internet access

Here is the relevant code from my running config:

I'm also curious about the "nat (inside) 0 access-list inside_nat0_outbound" statement's affect since it wasn't mentioned above.

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list VPN_Split-Tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit udp any any eq ntp

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_in in interface outside


Thank you for your time and expertise!

Dave
0
snchelpdesk
Asked:
snchelpdesk
  • 2
1 Solution
 
nodiscoCommented:
hey Dave

The problem is that when you added your access-list, its the first one you have applied to the inside interface.  Access-lists work by allowing/denying all traffic you stipulate and then they have an intrinsic deny all at the end.  So essentially what you have told the PIX to do is - all all udp traffic out for ntp protocol and block everything else!
To fix your internet access, just remove the application of this access-list by typing
conf t
no access-group inside_access_out out interface inside

As inside to outside traffic does not *need* (See below)  an access-list persay you don't need to allow ntp for inside to outside but I don't know why you would be allowing ntp from inside to out anyway.  
Can you advise what you are trying to achieve here?

Re your nat0 access-list I am guessing you had a site to site VPN that this is setup for as you are allowing any to a private ip range?

*******Inside to outside traffic is allowed by default as inside is a more secure interface than outside.  Unless you want to add an inside access-list to deny certain traffic out (or only allow certain protocols out) you don't *need* an access-list here.

cheers

0
 
snchelpdeskAuthor Commented:
Thank you for your explanation - I didn't realize the ACL's worked like a funnel - the problem is on the GUI the default implicit  "allow any less secure" is replaced by the explicit "allow port 123".

What I originally attempted to do was allow access from my MS DC to an external time source.  We were getting the infamous "no data available" message and one of the resolutions was to allow TCP & UDP traffic through port 123.  Referring to suggestion:  " forward port 123 (SNTP) to your domain controllers IP, both TCP and UDP on your firewall"

Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

Thanks again for sharing your expertise - Dave
0
 
nodiscoCommented:
No worries mate
<<Seems like I should setup a rule on the outside interface to allow outgoing requests and incoming data...  

If you want to allow in external ntp - all you need to do is allow it in from the outside - outgoing will work already when you don't have the access-list on the inside.  

cheers
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now