Solved

PIX ACL

Posted on 2009-07-16
5
376 Views
Last Modified: 2013-11-16
I want to only allow certain traffic from inside the network to outside and all other traffic is denied. here is the ACL's I have:
access-list inside_in permit tcp any any eq smtp
access-list inside_in permit tcp any any eq https
access-list inside_in permit tcp any any eq ssh
access-list inside_in permit udp any any eq 22
access-list inside_in permit tcp any any eq domain
access-list inside_in permit tcp any any eq 989
access-list inside_in permit udp any any eq 989
access-list inside_in permit udp any any eq 990
access-list inside_in permit tcp any any eq 990
access-list inside_in permit udp any any eq isakmp
access-list inside_in permit tcp any any eq www
access-list inside_in permit ip any any
If I remove this one: access-list inside_in permit tcp any any eq www  I still get internet access.
If i remove this one: access-list inside_in permit ip any any I get no internet access.
I thought these ACL's would allow the traffic and deny all other traffic from inside to outside.

0
Comment
Question by:jeffsteffy
5 Comments
 
LVL 24

Accepted Solution

by:
Ken Boone earned 250 total points
ID: 24871960
Well basically the ACL entrey that permits ip any any, permits all ip traffic.   Everything above that statement is irrelevant.    There is an implicit deny any any at the end of the ACL that you don't see, but when you permit ip any any you have basically allowed everything to flow through there.   So that is why when you remove the permit tcp any any eq www it still works.    What traffic do you want to allow through specifically?  Also, it is good practice to only allow smtp traffic out from your mail server only.  This keeps rogue machines from sending spam out.  Again, what specifically do you want to let out?
0
 
LVL 7

Assisted Solution

by:clonga13
clonga13 earned 250 total points
ID: 24871997
If you remove the tcp any any eq www you would still get access because of the permit ip any any. You would need to remove the permit ip any any line first. The problem after that may be that your domain uses UDP for DNS lookups. Also allow ICMP traffic so you can try pinging and testing that way.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 24872119
I removed access-list inside_in permit ip any any
added access-list inside_in permit udp any any eq domain
I only want to allow the above traffic, can adjust if needed.
this PIX is in a test lab, but will change the email to access-list inside_in permit tcp host  192.168.xx.xxx xx.xxx.xxx.xxx eq 25 and remove access-list inside_in permit tcp any any eq smtp
This should be right??
0
 
LVL 7

Expert Comment

by:clonga13
ID: 24872151
If you want to specify that only the email server can send smtp then yes. that should work.
0
 
LVL 5

Expert Comment

by:yashinchalad
ID: 24872288
the best practice is to apply deny first and then atlast permit any any commands.
use object group for set of ports.

for ex:

create object groups

object-group service test tcp
port-object range 500 1024
port-object eq ftp
!
object-group service test1 udp
port-object range 10000 20000
!

then:
access-list 101 extended deny udp any any object-group test1
access-list 101 extended permit tcp any any object-group test
access-list 101 extended permit ip any any --> this should be always at the last line of 101

access-group 101 in interface inside (assume nameif of inside is inside)


 

 

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now