PIX ACL

I want to only allow certain traffic from inside the network to outside and all other traffic is denied. here is the ACL's I have:
access-list inside_in permit tcp any any eq smtp
access-list inside_in permit tcp any any eq https
access-list inside_in permit tcp any any eq ssh
access-list inside_in permit udp any any eq 22
access-list inside_in permit tcp any any eq domain
access-list inside_in permit tcp any any eq 989
access-list inside_in permit udp any any eq 989
access-list inside_in permit udp any any eq 990
access-list inside_in permit tcp any any eq 990
access-list inside_in permit udp any any eq isakmp
access-list inside_in permit tcp any any eq www
access-list inside_in permit ip any any
If I remove this one: access-list inside_in permit tcp any any eq www  I still get internet access.
If i remove this one: access-list inside_in permit ip any any I get no internet access.
I thought these ACL's would allow the traffic and deny all other traffic from inside to outside.

LVL 2
jeffsteffyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
Well basically the ACL entrey that permits ip any any, permits all ip traffic.   Everything above that statement is irrelevant.    There is an implicit deny any any at the end of the ACL that you don't see, but when you permit ip any any you have basically allowed everything to flow through there.   So that is why when you remove the permit tcp any any eq www it still works.    What traffic do you want to allow through specifically?  Also, it is good practice to only allow smtp traffic out from your mail server only.  This keeps rogue machines from sending spam out.  Again, what specifically do you want to let out?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
clonga13Commented:
If you remove the tcp any any eq www you would still get access because of the permit ip any any. You would need to remove the permit ip any any line first. The problem after that may be that your domain uses UDP for DNS lookups. Also allow ICMP traffic so you can try pinging and testing that way.
0
jeffsteffyAuthor Commented:
I removed access-list inside_in permit ip any any
added access-list inside_in permit udp any any eq domain
I only want to allow the above traffic, can adjust if needed.
this PIX is in a test lab, but will change the email to access-list inside_in permit tcp host  192.168.xx.xxx xx.xxx.xxx.xxx eq 25 and remove access-list inside_in permit tcp any any eq smtp
This should be right??
0
clonga13Commented:
If you want to specify that only the email server can send smtp then yes. that should work.
0
yashinchaladCommented:
the best practice is to apply deny first and then atlast permit any any commands.
use object group for set of ports.

for ex:

create object groups

object-group service test tcp
port-object range 500 1024
port-object eq ftp
!
object-group service test1 udp
port-object range 10000 20000
!

then:
access-list 101 extended deny udp any any object-group test1
access-list 101 extended permit tcp any any object-group test
access-list 101 extended permit ip any any --> this should be always at the last line of 101

access-group 101 in interface inside (assume nameif of inside is inside)


 

 

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.