Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 375
  • Last Modified:

CISCO Access List Error

Hi ,

I inherited a cisco pix 515e and I am trying to add the following:

access-list OUTSIDE_access_in_1 extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive

I get an error stating: ERROR:<extended> not a valid permission

I defined google as name and I am not sure what I am doing wrong

Thank you for your help in advance
0
thomasm1948
Asked:
thomasm1948
  • 5
  • 4
1 Solution
 
lruiz52Commented:
will you provide a sanitized config?
0
 
Pete LongTechnical ConsultantCommented:
Remove the word extended, it will be put back in by the OS,

Also what is 'Google' if its an object or an object group, it needs the ketwork object, or object-group before it.

Pete
0
 
thomasm1948Author Commented:
Google is a name associated to an IP address
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
thomasm1948Author Commented:
If I take out extended, I get the following error:

ERROR: extra command argument(s)
0
 
lruiz52Commented:
Try this;

access-list OUTSIDE_access_in_1 extended permit tcp Google 255.255.0.0 eq smtp interface OUTSIDE eq smtp inactive
0
 
thomasm1948Author Commented:
I get the following error::

ERROR:<extended> not a valid permission
0
 
lruiz52Commented:
posting a sanitized config would help.
0
 
thomasm1948Author Commented:
asafirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security99
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asafirewall
domain-name asa
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.0 mgnt-network
name 64.18.0.0 Postini
name 64.140.206.217 MMS
name 172.16.1.4 Destiny
name 172.16.1.5 Mail
name 172.16.0.25 Main8e6Filter
name 172.16.0.19 Old8e6
name 172.17.0.2 Oracledb
name 172.16.1.3 Server3
name 172.16.1.22 madmacs
name 172.16.1.12 pcserver
name 12.47.12.130 DestintRDP2
name 12.107.106.100 DestinyRDP2
name 72.91.20.29 Verizon_GW
name 172.16.1.2 Server2
name 74.125.65.109 GMAIL_SMTP
name 74.125.113.109 GMAIL_SMTP2
name 74.125.45.109 Gmail_smtp3
name 74.125.47.109 Gmail_smtp4
name 74.125.0.0 Google
name 209.85.128.0 Google2
name 172.16.1.18 Montage
name 66.54.174.28 Montage_Web_Server
name 172.30.0.85 VARtek-Monitoring
name 172.17.0.4 server10
name 172.16.1.8 Terminal-Server
name 67.78.184.210 OutsideIP
object-group service tcp-udp tcp-udp
  port-object eq www
object-group service rdp tcp-udp
  description rdp
  port-object range 3389 3389
object-group service web tcp
  port-object eq www
  port-object eq https
  port-object range 3309 3309
  port-object eq ftp
object-group service web2 tcp
  port-object eq www
object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
  protocol-object udp
  protocol-object tcp
object-group network DestinyRDPGRP
  description DestinyRDPGRP
  network-object host DestinyRDP2
  network-object host DestintRDP2
object-group service Email tcp
  description Email
  port-object eq https
  port-object eq imap4
  port-object eq pop3
object-group service Web_Server tcp
  description Web_Server
  port-object eq 8080
  port-object eq 8170
  port-object eq 8171
  port-object eq 8181
  port-object eq www
object-group service Games tcp
  description Games
  port-object eq 1119
  port-object eq 3724
  port-object eq 4000
  port-object range 6112 6119
  port-object range 6881 6999
  port-object range 2300 2400
  port-object eq 47624
  port-object eq 28960
  port-object eq 3074
  port-object range 28000 28020
  port-object eq 3723
  port-object range 43594 43595
  port-object eq 5121
object-group service Games2 udp
  description Games2
  port-object range 6112 6119
  port-object range 2300 2400
  port-object eq 47624
  port-object eq 28500
  port-object eq 28510
  port-object eq 28960
  port-object range 3074 3075
  port-object range 3478 3479
  port-object range 28000 28020
  port-object eq 14567
  port-object eq 3723
object-group network SMTP_Gmail
  description SMTP_Gmail
  network-object host GMAIL_SMTP2
  network-object host Gmail_smtp3
  network-object host GMAIL_SMTP
  network-object host Gmail_smtp4
object-group service Gmailsmtp tcp
  description Gmailsmtp
  port-object eq 993
  port-object eq smtp
object-group service transmission tcp-udp
  port-object eq 64330
object-group service ARD tcp-udp
  description ARD
  port-object range 5900 5901
object-group network DM_INLINE_NETWORK_1
  network-object 172.16.1.0 255.255.255.0
  network-object 172.17.0.0 255.255.0.0
  network-object mgnt-network 255.255.255.0
  network-object 172.18.0.0 255.255.0.0
object-group service TCP-8181 tcp
  description TCP-8181
  port-object eq 8181
object-group service RDP tcp
  description Remote Desktop
  port-object eq 3389
access-list PERMIT_IN deny ip any any
access-list inside_outbound_nat0_acl permit ip any 172.16.0.0 255.255.0.0
access-list outside_access_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside OutsideIP 255.255.255.252
ip address inside 172.16.0.24 255.255.0.0
ip address DMZ 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNinbound 192.168.0.80-192.168.0.85
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.78.184.209 1
route inside 172.17.0.0 255.255.0.0 172.16.0.1 1
route inside 172.18.0.0 255.255.0.0 172.16.0.1 1
route inside 172.19.3.0 255.255.255.0 172.16.0.1 1
route inside 172.20.0.0 255.255.0.0 172.16.0.1 1
route inside 172.21.0.0 255.255.0.0 172.16.0.1 1
route inside 172.22.0.0 255.255.255.0 172.16.0.1 1
route inside 192.168.0.0 255.255.0.0 192.168.0.59 1
route inside 192.168.0.4 255.255.255.255 192.168.0.59 1
route inside 192.168.110.0 255.255.255.0 192.168.0.59 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.21 C:/TFTP-Root
floodguard enable
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 10
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcprelay server Server3 inside
dhcprelay server Server2 inside
terminal width 80
0
 
lruiz52Commented:
looks like your missing access group for "outside_access_in_1"

access-group outside_access_in_1 in interface outside

or

access-list OUTSIDE_access_in extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive
0
 
thomasm1948Author Commented:
The issue is that I cannot add:

access-list OUTSIDE_access_in extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive

I get an error stating: ERROR:<extended> not a valid permission

I took out the _1 after the name just in case that could the issue.  I have been trying everything
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now