Solved

PIX ACL

Posted on 2009-07-16
5
375 Views
Last Modified: 2013-11-16
I want to only allow certain traffic from inside the network to outside and all other traffic is denied. here is the ACL's I have:
access-list inside_in permit tcp any any eq smtp
access-list inside_in permit tcp any any eq https
access-list inside_in permit tcp any any eq ssh
access-list inside_in permit udp any any eq 22
access-list inside_in permit tcp any any eq domain
access-list inside_in permit tcp any any eq 989
access-list inside_in permit udp any any eq 989
access-list inside_in permit udp any any eq 990
access-list inside_in permit tcp any any eq 990
access-list inside_in permit udp any any eq isakmp
access-list inside_in permit tcp any any eq www
access-list inside_in permit ip any any
If I remove this one: access-list inside_in permit tcp any any eq www  I still get internet access.
If i remove this one: access-list inside_in permit ip any any I get no internet access.
I thought these ACL's would allow the traffic and deny all other traffic from inside to outside.

0
Comment
Question by:jeffsteffy
5 Comments
 
LVL 24

Accepted Solution

by:
Ken Boone earned 250 total points
ID: 24871960
Well basically the ACL entrey that permits ip any any, permits all ip traffic.   Everything above that statement is irrelevant.    There is an implicit deny any any at the end of the ACL that you don't see, but when you permit ip any any you have basically allowed everything to flow through there.   So that is why when you remove the permit tcp any any eq www it still works.    What traffic do you want to allow through specifically?  Also, it is good practice to only allow smtp traffic out from your mail server only.  This keeps rogue machines from sending spam out.  Again, what specifically do you want to let out?
0
 
LVL 7

Assisted Solution

by:clonga13
clonga13 earned 250 total points
ID: 24871997
If you remove the tcp any any eq www you would still get access because of the permit ip any any. You would need to remove the permit ip any any line first. The problem after that may be that your domain uses UDP for DNS lookups. Also allow ICMP traffic so you can try pinging and testing that way.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 24872119
I removed access-list inside_in permit ip any any
added access-list inside_in permit udp any any eq domain
I only want to allow the above traffic, can adjust if needed.
this PIX is in a test lab, but will change the email to access-list inside_in permit tcp host  192.168.xx.xxx xx.xxx.xxx.xxx eq 25 and remove access-list inside_in permit tcp any any eq smtp
This should be right??
0
 
LVL 7

Expert Comment

by:clonga13
ID: 24872151
If you want to specify that only the email server can send smtp then yes. that should work.
0
 
LVL 5

Expert Comment

by:yashinchalad
ID: 24872288
the best practice is to apply deny first and then atlast permit any any commands.
use object group for set of ports.

for ex:

create object groups

object-group service test tcp
port-object range 500 1024
port-object eq ftp
!
object-group service test1 udp
port-object range 10000 20000
!

then:
access-list 101 extended deny udp any any object-group test1
access-list 101 extended permit tcp any any object-group test
access-list 101 extended permit ip any any --> this should be always at the last line of 101

access-group 101 in interface inside (assume nameif of inside is inside)


 

 

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now