• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

PIX ACL

I want to only allow certain traffic from inside the network to outside and all other traffic is denied. here is the ACL's I have:
access-list inside_in permit tcp any any eq smtp
access-list inside_in permit tcp any any eq https
access-list inside_in permit tcp any any eq ssh
access-list inside_in permit udp any any eq 22
access-list inside_in permit tcp any any eq domain
access-list inside_in permit tcp any any eq 989
access-list inside_in permit udp any any eq 989
access-list inside_in permit udp any any eq 990
access-list inside_in permit tcp any any eq 990
access-list inside_in permit udp any any eq isakmp
access-list inside_in permit tcp any any eq www
access-list inside_in permit ip any any
If I remove this one: access-list inside_in permit tcp any any eq www  I still get internet access.
If i remove this one: access-list inside_in permit ip any any I get no internet access.
I thought these ACL's would allow the traffic and deny all other traffic from inside to outside.

0
jeffsteffy
Asked:
jeffsteffy
2 Solutions
 
Ken BooneNetwork ConsultantCommented:
Well basically the ACL entrey that permits ip any any, permits all ip traffic.   Everything above that statement is irrelevant.    There is an implicit deny any any at the end of the ACL that you don't see, but when you permit ip any any you have basically allowed everything to flow through there.   So that is why when you remove the permit tcp any any eq www it still works.    What traffic do you want to allow through specifically?  Also, it is good practice to only allow smtp traffic out from your mail server only.  This keeps rogue machines from sending spam out.  Again, what specifically do you want to let out?
0
 
clonga13Commented:
If you remove the tcp any any eq www you would still get access because of the permit ip any any. You would need to remove the permit ip any any line first. The problem after that may be that your domain uses UDP for DNS lookups. Also allow ICMP traffic so you can try pinging and testing that way.
0
 
jeffsteffyAuthor Commented:
I removed access-list inside_in permit ip any any
added access-list inside_in permit udp any any eq domain
I only want to allow the above traffic, can adjust if needed.
this PIX is in a test lab, but will change the email to access-list inside_in permit tcp host  192.168.xx.xxx xx.xxx.xxx.xxx eq 25 and remove access-list inside_in permit tcp any any eq smtp
This should be right??
0
 
clonga13Commented:
If you want to specify that only the email server can send smtp then yes. that should work.
0
 
yashinchaladCommented:
the best practice is to apply deny first and then atlast permit any any commands.
use object group for set of ports.

for ex:

create object groups

object-group service test tcp
port-object range 500 1024
port-object eq ftp
!
object-group service test1 udp
port-object range 10000 20000
!

then:
access-list 101 extended deny udp any any object-group test1
access-list 101 extended permit tcp any any object-group test
access-list 101 extended permit ip any any --> this should be always at the last line of 101

access-group 101 in interface inside (assume nameif of inside is inside)


 

 

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Tackle projects and never again get stuck behind a technical roadblock.
Join Now