Solved

CISCO Access List Error

Posted on 2014-09-18
10
215 Views
Last Modified: 2014-10-09
Hi ,

I inherited a cisco pix 515e and I am trying to add the following:

access-list OUTSIDE_access_in_1 extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive

I get an error stating: ERROR:<extended> not a valid permission

I defined google as name and I am not sure what I am doing wrong

Thank you for your help in advance
0
Comment
Question by:thomasm1948
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 40331634
will you provide a sanitized config?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40332136
Remove the word extended, it will be put back in by the OS,

Also what is 'Google' if its an object or an object group, it needs the ketwork object, or object-group before it.

Pete
0
 

Author Comment

by:thomasm1948
ID: 40333167
Google is a name associated to an IP address
0
 

Author Comment

by:thomasm1948
ID: 40333175
If I take out extended, I get the following error:

ERROR: extra command argument(s)
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 40333206
Try this;

access-list OUTSIDE_access_in_1 extended permit tcp Google 255.255.0.0 eq smtp interface OUTSIDE eq smtp inactive
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:thomasm1948
ID: 40333242
I get the following error::

ERROR:<extended> not a valid permission
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 40333260
posting a sanitized config would help.
0
 

Author Comment

by:thomasm1948
ID: 40333271
asafirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security99
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asafirewall
domain-name asa
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.0 mgnt-network
name 64.18.0.0 Postini
name 64.140.206.217 MMS
name 172.16.1.4 Destiny
name 172.16.1.5 Mail
name 172.16.0.25 Main8e6Filter
name 172.16.0.19 Old8e6
name 172.17.0.2 Oracledb
name 172.16.1.3 Server3
name 172.16.1.22 madmacs
name 172.16.1.12 pcserver
name 12.47.12.130 DestintRDP2
name 12.107.106.100 DestinyRDP2
name 72.91.20.29 Verizon_GW
name 172.16.1.2 Server2
name 74.125.65.109 GMAIL_SMTP
name 74.125.113.109 GMAIL_SMTP2
name 74.125.45.109 Gmail_smtp3
name 74.125.47.109 Gmail_smtp4
name 74.125.0.0 Google
name 209.85.128.0 Google2
name 172.16.1.18 Montage
name 66.54.174.28 Montage_Web_Server
name 172.30.0.85 VARtek-Monitoring
name 172.17.0.4 server10
name 172.16.1.8 Terminal-Server
name 67.78.184.210 OutsideIP
object-group service tcp-udp tcp-udp
  port-object eq www
object-group service rdp tcp-udp
  description rdp
  port-object range 3389 3389
object-group service web tcp
  port-object eq www
  port-object eq https
  port-object range 3309 3309
  port-object eq ftp
object-group service web2 tcp
  port-object eq www
object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
  protocol-object udp
  protocol-object tcp
object-group network DestinyRDPGRP
  description DestinyRDPGRP
  network-object host DestinyRDP2
  network-object host DestintRDP2
object-group service Email tcp
  description Email
  port-object eq https
  port-object eq imap4
  port-object eq pop3
object-group service Web_Server tcp
  description Web_Server
  port-object eq 8080
  port-object eq 8170
  port-object eq 8171
  port-object eq 8181
  port-object eq www
object-group service Games tcp
  description Games
  port-object eq 1119
  port-object eq 3724
  port-object eq 4000
  port-object range 6112 6119
  port-object range 6881 6999
  port-object range 2300 2400
  port-object eq 47624
  port-object eq 28960
  port-object eq 3074
  port-object range 28000 28020
  port-object eq 3723
  port-object range 43594 43595
  port-object eq 5121
object-group service Games2 udp
  description Games2
  port-object range 6112 6119
  port-object range 2300 2400
  port-object eq 47624
  port-object eq 28500
  port-object eq 28510
  port-object eq 28960
  port-object range 3074 3075
  port-object range 3478 3479
  port-object range 28000 28020
  port-object eq 14567
  port-object eq 3723
object-group network SMTP_Gmail
  description SMTP_Gmail
  network-object host GMAIL_SMTP2
  network-object host Gmail_smtp3
  network-object host GMAIL_SMTP
  network-object host Gmail_smtp4
object-group service Gmailsmtp tcp
  description Gmailsmtp
  port-object eq 993
  port-object eq smtp
object-group service transmission tcp-udp
  port-object eq 64330
object-group service ARD tcp-udp
  description ARD
  port-object range 5900 5901
object-group network DM_INLINE_NETWORK_1
  network-object 172.16.1.0 255.255.255.0
  network-object 172.17.0.0 255.255.0.0
  network-object mgnt-network 255.255.255.0
  network-object 172.18.0.0 255.255.0.0
object-group service TCP-8181 tcp
  description TCP-8181
  port-object eq 8181
object-group service RDP tcp
  description Remote Desktop
  port-object eq 3389
access-list PERMIT_IN deny ip any any
access-list inside_outbound_nat0_acl permit ip any 172.16.0.0 255.255.0.0
access-list outside_access_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside OutsideIP 255.255.255.252
ip address inside 172.16.0.24 255.255.0.0
ip address DMZ 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNinbound 192.168.0.80-192.168.0.85
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.78.184.209 1
route inside 172.17.0.0 255.255.0.0 172.16.0.1 1
route inside 172.18.0.0 255.255.0.0 172.16.0.1 1
route inside 172.19.3.0 255.255.255.0 172.16.0.1 1
route inside 172.20.0.0 255.255.0.0 172.16.0.1 1
route inside 172.21.0.0 255.255.0.0 172.16.0.1 1
route inside 172.22.0.0 255.255.255.0 172.16.0.1 1
route inside 192.168.0.0 255.255.0.0 192.168.0.59 1
route inside 192.168.0.4 255.255.255.255 192.168.0.59 1
route inside 192.168.110.0 255.255.255.0 192.168.0.59 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.21 C:/TFTP-Root
floodguard enable
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 10
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcprelay server Server3 inside
dhcprelay server Server2 inside
terminal width 80
0
 
LVL 17

Accepted Solution

by:
lruiz52 earned 500 total points
ID: 40333674
looks like your missing access group for "outside_access_in_1"

access-group outside_access_in_1 in interface outside

or

access-list OUTSIDE_access_in extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive
0
 

Author Comment

by:thomasm1948
ID: 40336467
The issue is that I cannot add:

access-list OUTSIDE_access_in extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive

I get an error stating: ERROR:<extended> not a valid permission

I took out the _1 after the name just in case that could the issue.  I have been trying everything
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now