[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Need help editing acl on Cisco Pix.

Posted on 2011-10-11
15
Medium Priority
?
489 Views
Last Modified: 2012-05-12
I have a cisco pix-501 version 6.3(5) and i cant seem to remember how to edit an existing acl. I have a "clocked internal hosts" object-group that is in a access-list 105 and i need to allow these group of machines to access one public IP on port 80. Please see the attached code. Thanks in advanced for any and all help.
0
Comment
Question by:rburney
15 Comments
 
LVL 4

Expert Comment

by:piersonm
ID: 36953406
Don't see the attached code
0
 

Author Comment

by:rburney
ID: 36953562
sofix.txt

sorry about that. here is the config.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 36954592
insert "access-list 105 deny ip object-group blocked_hosts any"  on the line before :

access-list 105 permit ip object-group blocked_hosts public_IP eq 80

0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
LVL 4

Expert Comment

by:JorisFRST
ID: 36954597
Of course I ment :


insert "access-list 105 permit ip object-group blocked_hosts public_IP eq 80"  on the line before :

access-list 105 deny ip object-group blocked_hosts any
0
 

Author Comment

by:rburney
ID: 36955713
I need to add an ip range so would i have

access-list 105 permit ip object-group blocked_hosts 65.55.171.0/24 eq 443 or do ineed to have 65.55.171.0 255.255.252.0?
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 36956027
Hi you should use access-list 105 permit ip object-group blocked_hosts 65.55.171.0 255.255.252.0 eq 443
0
 

Author Comment

by:rburney
ID: 36956457
Last question. How to I make sure this statement in in front of the deny's?
0
 

Author Comment

by:rburney
ID: 36956520
When I entered the string posted I get the following error: source address,mask (65.55.171.0,255.255.253.0) does not pair.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 36956779
does it work using 255.255.252.0 ?

0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 36956820
On your pix version when you do "sh access-list" you should be able to see line numbers.

Then you can enter a new line using a lower number

from cisco command reference :
[no] access-list id [line line-num] {deny | permit}{protocol | object-group protocol_obj_grp_id {source_addr source_mask} | object-group network_obj_grp_id [operator port [port] | interface if_name | object-group service_obj_grp_id] {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]} [log [[disable | default] | [level]]] [interval secs]]

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

In your case :

access-list 105 line "number" permit ip object-group blocked_hosts 65.55.171.0 255.255.252.0 eq 443
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 36956830
Oh, sorry,

access-list 105 line "number" permit ip object-group blocked_hosts 65.55.171.0 mask 255.255.252.0 eq 443

I forgot the "mask" bit.
so this should work too.

access-list 105 line "number" permit ip object-group blocked_hosts 65.55.171.0 mask 255.255.253.0 eq 443
0
 

Author Comment

by:rburney
ID: 36957432
ok the ip i need access to is 65.55.171.0/24 so that is a 255.255.255.0 netmask. So i am using the following in my line:

access-list 105 line 10 permit ip object-group blocked_hosts 65.55.171.0 mask 255.255.255.0 eq 443

I now get an invalid IP address mask

Thank by the way for all the help!!!!
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 36957697
Try again without mask.
I might be confuser with versions
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 36957711
Of just make another object group for the allowed range
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 2000 total points
ID: 37027272
Hi,

The configuration to access http on port 80 is as below :

ASA(Config-t)#access-list 105 permit tcp any any eq http
ASA(Config-t)#Access-group 105 in interface outside
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question