Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-List Problem 1

Status
Not open for further replies.
T3st1ng

T3st1ng

MIS
Apr 11, 2005
34
US
I am new to the PIX, and have a 515E, version 6.3(4).

I created an ACL to allow traffic on 10000 and 1723, but it does not appear to be working.

Here is the access list I created:

access-list 100; 5 elements
access-list 100 line 1 permit tcp any any eq 10000
access-list 100 line 2 permit tcp any any eq pptp
access-list 100 line 3 permit udp any any eq 1723
access-list 100 line 4 permit udp any any eq 10000
access-list 100 line 5 permit tcp host XXX.XXX.XXX.XXX any


(Please note that the X's are replacing the Remote VPN IP Address, and I added that only after the first four lines did not work)


When I type sh access-li I do not see any hit counts for the new list I created, nor can I connect to the VPN.

In addition, when I type "sh config" I can see my other access-lists in the list, but not the new one I created.

After I created the access list, i entered the following to apply:

access-group 100 in int outside


Any ideas?

 
Sort by date Sort by votes
What exactly are you trying to do? Is this traffic destined for a particular inside device? If it is, you need a static mapping as well.

You mention a VPN. Where does that come into play? An access-list applied to the outside interface will not affect VPN traffic--it bypasses it.

Why don't you post your entire config--minus the sensitive data and give a detailed explanation of what you are trying to accomplish.

If you didn't write to memory, then you can reboot and the changes will be gone.

Thanks
Roland

What's ADD again?
 
Upvote 0 Downvote
I am trying to allow internal machines to connect to a remote VPN.

Here's the config:

sh config
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 public security60
enable password *********** encrypted
passwd ************* encrypted
hostname PIX
domain-name md-x.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 10.6.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list allowremotesite permit ip 10.5.0.0 255.255.255.0 10.6.0.0 255.255.255.0
access-list 90 permit ip 10.6.0.0 255.255.255.0 10.5.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu public 1500
ip address outside 206.x.x.1 255.255.255.128
ip address inside 10.6.0.1 255.255.255.0
ip address public 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.x.x.x 255.255.255.0 inside
pdm location 10.x.x.x 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 206.x.x.2
global (public) 2 192.168.1.2 netmask 255.255.0.0
nat (inside) 0 access-list 90
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (public) 2 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 206.x.x.x 10.x.x.X netmask 255.255.255.255 0 0
static (inside,outside) 206.x.x.x 10.x.X.x netmask 255.255.255.255 0 0
access-group allowremotesite in interface outside
route outside 0.0.0.0 0.0.0.0 206.x.x.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.x.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set sites esp-des esp-sha-hmac
crypto map toSITEB 20 ipsec-isakmp
crypto map toSITEB 20 match address 90
crypto map toSITEB 20 set peer 12.x.x.x
crypto map toSITEB 20 set transform-set sites
crypto map toSITEB interface outside
isakmp enable outside
isakmp key ******** address 12.x.x.x netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 10.x.x.x 255.255.0.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 outside
ssh x.x.x.x 255.255.255.255 inside
ssh x.x.x.x 255.255.255.255 public
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:*********************


 
Upvote 0 Downvote
First I'd remove these by using the no form of the command:

no nat (inside) 0 access-list 90
no access-group allowremotesite in interface outside
no access-list allowremotesite permit ip 10.5.0.0 255.255.255.0 10.6.0.0 255.255.255.0
no access-list nonat permit ip 10.6.0.0 255.255.255.0 10.5.0.0 255.255.255.0

then add these:

access-list allowremotesite permit ip 10.6.0.0 255.255.255.0 10.5.0.0 255.255.255.0
When an ACL is used to control what traffic can pass through the VPN the IPs are reversed--local IP range first then remote range.
It's still source to destination but you're saying allow traffic from the 10.6.0.0/24 network to access the 10.5.0.0/24 network.
nat (inside) 0 access-list allowremotesite

This will allow all traffic from the 10.6.0.0/24 network to flow to the 10.5.0.0/24 network--through the VPN.

To check the VPN you can use the debug crypto ipsec & debug crypto isakmp commands from config mode--then try to pass traffic to the remote network and watch the output. Also the show crypto ipsec sa & show crypto isakmp sa commands are helpful. To turn of the debugging, use the undebug all command.

Let me know...
Roland

What's ADD again?
 
Upvote 0 Downvote
A question:
you have these two static mappings...

static (inside,outside) 206.x.x.x 10.x.x.X netmask 255.255.255.255 0 0
static (inside,outside) 206.x.x.x 10.x.X.x netmask 255.255.255.255 0 0

...but no ACL associated with them. So essentially you're taking traffic from the 206.x.x.x addresses and mapping to the 10.x.x.x addresses but not allowing anything in on the 206.x.x.x addresses. Did that make sense?

For this to work you need an access-list that's applied to the outside interface and has the ports you want to reach these devices open. Which is the type of ACL I thought you wanted initially in the other thread.

Roland

What's ADD again?
 
Upvote 0 Downvote
I don't think my posting was clear. The suggestions you have made would affect an existing site to site connection. My intended goal at this point is to allow internal machines to connect to a remote VPN, with IP 69.x.x.1, using the Windows VPN client.

Here is the access list I created:

access-list 100; 5 elements
access-list 100 line 1 permit tcp any any eq 10000
access-list 100 line 2 permit tcp any any eq pptp
access-list 100 line 3 permit udp any any eq 1723
access-list 100 line 4 permit udp any any eq 10000
access-list 100 line 5 permit tcp host 69.x.x.1 any


After I created the access list, i entered the following to apply:

access-group 100 in int outside


When I type sh access-li I do not see any hit counts for the new list I created, nor can I connect to the VPN. In addition, when I type "sh config" I can see my other access-lists in the list, but not the new one I created, whic you can see for yourself in the config posted above.

I want to add this to my existing config so taht this VPN will work. I do not want to alter anything that is already working, as I don't know enough. The Network person is out on disability, and I'm sort of stuck right now.

Your help is GREATLY appreciated!
 
Upvote 0 Downvote
I'm looking into the windows client VPN.

Also type "show run" and you shoud see the access-list you created.

Show config--shows the saved configuration. If you haven't saved the config to memory, the changes won't show up here.--but don't save it until it's working. That way, if you get lost, you can just reboot the device and wipe the changes out.

Show run--shows the active or running configuration.

Just to make sure on the VPN issue:
You want to take internal clients and allow them to connect--via windows vpnclient--to a remote network. And the termination point for the VPN client is the 69.x.x.1 address.

Is that correct?

What's ADD again?
 
Upvote 0 Downvote
Yes that is correct.

Again, thanks not only for your help, but for explaining it in a way which allows me to understand what I'm doing for future reference.

 
Upvote 0 Downvote
You're welcome.

try adding the fixup protocol pptp 1723
command to the PIX.

Here is the reference link.


Also, this link deals with using a static mapping for each client--I don't think you want that, but the info might help.

What's ADD again?
 
Upvote 0 Downvote
If I add the fixup command, do I need the access-lists at all?
 
Upvote 0 Downvote
As long as you are running 6.3x... that should be all you need.

We weren't communicating clearly before and I was giving you apples when you wanted oranges. :) Initially I thought you wanted to know about access-lists and permitting certain port traffic. I wasn't even thinking VPN.

But we finally got to the heart of the matter.

here is one more link on the subject.

What's ADD again?
 
Upvote 0 Downvote
No luck, even with the fixup command. I still cannot connect to any Windows VPN. The machines I am using to connect are behind the PIX and use an internal address with PAT for internet connections. Is there something else missing?
 
Upvote 0 Downvote
Have you tried contacting Cisco TAC?

Also, do you control or have access to the terminating device on the other end?


*****************

What's ADD again?
 
Upvote 0 Downvote
Also, you can try setting up a sniffer on the outside of the PIX and look for traffic destined for the 69.x.x.1 address. That way you'll know if it's being passed through the PIX or not. Because right now you need to find out where the point of failure is.


*****************

What's ADD again?
 
Upvote 0 Downvote
How would I go about setting up a sniffer without drastically impacting performance of the PIX? My network admin had the McAffee Sniffer, and I am somewhat familiar with it.
 
Upvote 0 Downvote
What device is the outside interface of the PIX plugged into?

If it's a managed switch, then you would set up port monitoring and send the traffic to the port that the device running the sniffer is plugged into.


*****************

What's ADD again?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
383
Shmid
Shmid
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
82
ITSUPPORTIT
ITSUPPORTIT
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
77
gbayi_omo
gbayi_omo
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
80
kythri
kythri
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
61
wrighbr1
wrighbr1

Part and Inventory Search

Sponsor

Back
Top