Need help editing acl on Cisco Pix.

I have a cisco pix-501 version 6.3(5) and i cant seem to remember how to edit an existing acl. I have a "clocked internal hosts" object-group that is in a access-list 105 and i need to allow these group of machines to access one public IP on port 80. Please see the attached code. Thanks in advanced for any and all help.
rburneyAsked:
Who is Participating?
 
Feroz AhmedSenior Network EngineerCommented:
Hi,

The configuration to access http on port 80 is as below :

ASA(Config-t)#access-list 105 permit tcp any any eq http
ASA(Config-t)#Access-group 105 in interface outside
0
 
piersonmCommented:
Don't see the attached code
0
 
rburneyAuthor Commented:
sofix.txt

sorry about that. here is the config.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
JorisFRSTCommented:
insert "access-list 105 deny ip object-group blocked_hosts any"  on the line before :

access-list 105 permit ip object-group blocked_hosts public_IP eq 80

0
 
JorisFRSTCommented:
Of course I ment :


insert "access-list 105 permit ip object-group blocked_hosts public_IP eq 80"  on the line before :

access-list 105 deny ip object-group blocked_hosts any
0
 
rburneyAuthor Commented:
I need to add an ip range so would i have

access-list 105 permit ip object-group blocked_hosts 65.55.171.0/24 eq 443 or do ineed to have 65.55.171.0 255.255.252.0?
0
 
JorisFRSTCommented:
Hi you should use access-list 105 permit ip object-group blocked_hosts 65.55.171.0 255.255.252.0 eq 443
0
 
rburneyAuthor Commented:
Last question. How to I make sure this statement in in front of the deny's?
0
 
rburneyAuthor Commented:
When I entered the string posted I get the following error: source address,mask (65.55.171.0,255.255.253.0) does not pair.
0
 
JorisFRSTCommented:
does it work using 255.255.252.0 ?

0
 
JorisFRSTCommented:
On your pix version when you do "sh access-list" you should be able to see line numbers.

Then you can enter a new line using a lower number

from cisco command reference :
[no] access-list id [line line-num] {deny | permit}{protocol | object-group protocol_obj_grp_id {source_addr source_mask} | object-group network_obj_grp_id [operator port [port] | interface if_name | object-group service_obj_grp_id] {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]} [log [[disable | default] | [level]]] [interval secs]]

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

In your case :

access-list 105 line "number" permit ip object-group blocked_hosts 65.55.171.0 255.255.252.0 eq 443
0
 
JorisFRSTCommented:
Oh, sorry,

access-list 105 line "number" permit ip object-group blocked_hosts 65.55.171.0 mask 255.255.252.0 eq 443

I forgot the "mask" bit.
so this should work too.

access-list 105 line "number" permit ip object-group blocked_hosts 65.55.171.0 mask 255.255.253.0 eq 443
0
 
rburneyAuthor Commented:
ok the ip i need access to is 65.55.171.0/24 so that is a 255.255.255.0 netmask. So i am using the following in my line:

access-list 105 line 10 permit ip object-group blocked_hosts 65.55.171.0 mask 255.255.255.0 eq 443

I now get an invalid IP address mask

Thank by the way for all the help!!!!
0
 
JorisFRSTCommented:
Try again without mask.
I might be confuser with versions
0
 
JorisFRSTCommented:
Of just make another object group for the allowed range
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.