Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PIX ACL

Posted on 2009-07-16
5
Medium Priority
?
383 Views
Last Modified: 2013-11-16
I want to only allow certain traffic from inside the network to outside and all other traffic is denied. here is the ACL's I have:
access-list inside_in permit tcp any any eq smtp
access-list inside_in permit tcp any any eq https
access-list inside_in permit tcp any any eq ssh
access-list inside_in permit udp any any eq 22
access-list inside_in permit tcp any any eq domain
access-list inside_in permit tcp any any eq 989
access-list inside_in permit udp any any eq 989
access-list inside_in permit udp any any eq 990
access-list inside_in permit tcp any any eq 990
access-list inside_in permit udp any any eq isakmp
access-list inside_in permit tcp any any eq www
access-list inside_in permit ip any any
If I remove this one: access-list inside_in permit tcp any any eq www  I still get internet access.
If i remove this one: access-list inside_in permit ip any any I get no internet access.
I thought these ACL's would allow the traffic and deny all other traffic from inside to outside.

0
Comment
Question by:jeffsteffy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 25

Accepted Solution

by:
Ken Boone earned 1000 total points
ID: 24871960
Well basically the ACL entrey that permits ip any any, permits all ip traffic.   Everything above that statement is irrelevant.    There is an implicit deny any any at the end of the ACL that you don't see, but when you permit ip any any you have basically allowed everything to flow through there.   So that is why when you remove the permit tcp any any eq www it still works.    What traffic do you want to allow through specifically?  Also, it is good practice to only allow smtp traffic out from your mail server only.  This keeps rogue machines from sending spam out.  Again, what specifically do you want to let out?
0
 
LVL 7

Assisted Solution

by:clonga13
clonga13 earned 1000 total points
ID: 24871997
If you remove the tcp any any eq www you would still get access because of the permit ip any any. You would need to remove the permit ip any any line first. The problem after that may be that your domain uses UDP for DNS lookups. Also allow ICMP traffic so you can try pinging and testing that way.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 24872119
I removed access-list inside_in permit ip any any
added access-list inside_in permit udp any any eq domain
I only want to allow the above traffic, can adjust if needed.
this PIX is in a test lab, but will change the email to access-list inside_in permit tcp host  192.168.xx.xxx xx.xxx.xxx.xxx eq 25 and remove access-list inside_in permit tcp any any eq smtp
This should be right??
0
 
LVL 7

Expert Comment

by:clonga13
ID: 24872151
If you want to specify that only the email server can send smtp then yes. that should work.
0
 
LVL 5

Expert Comment

by:yashinchalad
ID: 24872288
the best practice is to apply deny first and then atlast permit any any commands.
use object group for set of ports.

for ex:

create object groups

object-group service test tcp
port-object range 500 1024
port-object eq ftp
!
object-group service test1 udp
port-object range 10000 20000
!

then:
access-list 101 extended deny udp any any object-group test1
access-list 101 extended permit tcp any any object-group test
access-list 101 extended permit ip any any --> this should be always at the last line of 101

access-group 101 in interface inside (assume nameif of inside is inside)


 

 

0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question