Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

access-list help! 1

Status
Not open for further replies.
fowlerlfc

fowlerlfc

MIS
Mar 20, 2002
136
US
I have an internal network as follows:

10.186.32.0
10.186.33.0
10.186.34.0
My pix interfaces are named inside and outside.

I want the 10.186.32.0 hosts to be able access any servers on the internet.

I want the 10.186.33.0 and 10.186.34.0 hosts to only be able to access 3 sites on the internet. I have written the following access-list. Does it achieve my goals? Is it efficient? Is the syntax correct?

access-list acl_out permit tcp 10.186.32.0 255.255.255.0 any any
access-list acl_out permit tcp 10.186.33.0 255.255.255.0 64.12.184.57 www
access-list acl_out permit tcp 10.186.34.0 255.255.255.0 64.12.184.57 www
access-list acl_out permit tcp 10.186.33.0 255.255.255.0 64.4.52.7 www
access-list acl_out permit tcp 10.186.34.0 255.255.255.0 64.4.52.7 www
access-list acl_out permit tcp 10.186.33.0 255.255.255.0 64.4.53.7 www
access-list acl_out permit tcp 10.186.34.0 255.255.255.0 64.4.53.7 www
access-group acl_out in interface outside

Any help is greatly appreciated!
 
Sort by date Sort by votes
Yizhar,
This is what I used to create my attempt at an access-list. Please forgive me for not being a PIX firewall god. I was thrown into configuring the darn thing without any training so I am seeking some help from gurus. If what I put down was not correct, please help me learn what mistake I am making, by providing me with a short access-list example.

I would greatly appreciate it.

Thanks.
 
Upvote 0 Downvote
Please forgive Yizhar for his short but sweet answer! LOL

Good link though! Best place to start really.

Anyway, a couple of pointers ..

You seem to have the basic idea of creating an access list and it's not bad for your first attempt! They do take a bit of getting used to.

The basic format is something like,

access-list acl_name permit tcp <source_address> <mask> host <destination_address> eq <service>

If you are letting specific networks or hosts out then remember that when you apply the access list, anything that it not permitted by the ACL is denied. So, with your access list no one would be able to web browse anyway as their DNS requests (UDP port 53) would be blocked by the firewall. You need to think of every service that needs to go out!

Finally, if you are trying to restrict access to inside users then you need to apply the list inbound on the inside interface, not inbound on the outside interface. Your example is applied on the outside interface coming from the internet in!

There may be more wrong but it's late and I'm tired.

Goodnight!

Chris.




************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
chrisac,

Thanks so much for your help. Here's my second attempt at creating an access-list. What do you think?

access-list acl_in permit tcp 10.186.32.0 255.255.255.0 host 0.0.0.0 eq 80
access-list acl_in permit tcp 10.186.32.0 255.255.255.0 host 0.0.0.0 eq 53
access-list acl_in permit tcp 10.186.32.0 255.255.255.0 host 0.0.0.0 eq 21
access-list acl_in permit tcp 10.186.33.0 255.255.255.0 host 64.12.184.57 eq 80
access-list acl_in permit tcp 10.186.34.0 255.255.255.0 host 64.12.184.57 eq 80
access-list acl_in permit tcp 10.186.33.0 255.255.255.0 host 64.4.52.7 eq 80
access-list acl_in permit tcp 10.186.34.0 255.255.255.0 host 64.4.52.7 eq 80
access-list acl_in permit tcp 10.186.33.0 255.255.255.0 host 64.4.53.7 eq 80
access-list acl_in permit tcp 10.186.34.0 255.255.255.0 host 64.4.53.7 eq 80
access-group acl_in in interface inside

Please bear in mind that all hosts are using a DNS server (configured as a forwarder) with ip address 10.186.32.6. With this access-list, it should still be able to fulfill it's duties, correct?

I've been looking through my PIX command reference and I found another command. Would this be more appropriate for what I'm trying to accomplish?

outbound 1 deny 10.186.33.0 255.255.255.0 0
outbound 1 deny 10.186.34.0 255.255.255.0 0
outbound 1 except 64.12.184.57 255.255.255.255 80 tcp
outbound 1 except 64.4.53.7 255.255.255.255 80 tcp
outbound 1 except 64.4.52.7 255.255.255.255 80 tcp
apply (inside) 1 outgoing_src

Once again, thanks for all your help and knowledge!

-fowlerlfc
 
Upvote 0 Downvote
HI.

Here are my comments:

* The outbound command is obsolute, and you should NOT use it unless you have an outdated pix version that you can not upgrade.
What is the version of your pix anyway?

* If you have version 6.x, you can use PDM.
See the pix documentations for installing PDM if it is not installed.
PDM is a good utility for managing access-list using a GUI, and for monitoring the pix.

* DNS works mostly using UDP. AFAIK TCP 53 is used only for replication, but DNS name resolution uses UDP 53.
You'll need to add this:
access-list acl_in permit udp 10.186.32.0 255.255.255.0 any eq 53

* The &quot;host&quot; word in the ACL means a single specific ip address.
For specifing all the Internet, use &quot;0 0&quot; or the word &quot;any&quot;, like:
access-list acl_in permit tcp 10.186.32.0 255.255.255.0 any eq 80

* You should try to make the access-list short and clear as possible. Here is an alternative:

access-list acl_in permit tcp 10.186.32.0 255.255.255.0 any eq http
access-list acl_in permit tcp 10.186.32.0 255.255.255.0 any eq ftp
access-list acl_in permit udp 10.186.32.0 255.255.255.0 any eq 53
access-list acl_in permit tcp any host 64.12.184.57 eq http
access-list acl_in permit tcp any host 64.4.52.7 eq http
access-list acl_in permit tcp any host 64.4.53.7 eq http

access-group acl_in in interface inside


* You will also need to debug this.
One of the main tools are different syslog messages.
The following commands will help you:

logging on
logging buffer 4
show log
clear log
show log


Enjoy.
Yizhar Hurwitz
 
Upvote 0 Downvote
yizhar,

Thank you for very informative post. It is very helpful. I appreciate the time you took to review my post and help me.

Thank you very much,
fowlerlfc
 
Upvote 0 Downvote
Yizhars post covers it all really! I couldn't have put it any better myself (and probably wouldn't have anyway)!

Chris.

[2thumbsup] ************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
684
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
644
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
134
tklamb
tklamb
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
728
Shmid
Shmid
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
161
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top