Any in the Rules !

[netwalker1]

Dear All :
I have a very strange situation here ,,
I have 6 Interfaces on my 525 PIX , 6.2.

the 1st is the most secure interface , and the 6th is the least ..

I made a rule using the PDM , saying that :
Permit from Special Group on the 3rd Interface --> ANY FTP Traffic to Any Host ..

Means :
Source : Group on the 3rd Interface
Destination : Any on the 6thg Interface
TCP\FTP

But I found that any one on the Group can FTP the top 2 Interfaces too !!!

How can I prevent this !

Alos Happened when I opened HTTP for another group to ANY on the 6th Interface , they can make HTPP connection with the 2 top Interfaces too !!!



Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[dopehead]

I'm sorry i don't get what you are saying how can :

Permit from Special Group on the 3rd Interface --> ANY FTP Traffic to Any Host ..

Be considered to only include :

Source : Group on the 3rd Interface
Destination : Any on the 6thg Interface
TCP\FTP


If you have a lower sec-level intf and you do an acl that allows ftp from a group on that interface to any....they will be able to reach ANY interface in your pix.

Jan


Network Systems Engineer
CCNA/CQS/CCSP

 

[netwalker1]

so how can I just allow them to FTP any of the lower interfaces , not the highest !?


Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[techracer74]

I think what he means is that he wants his 3rd int/group to be able to ONLY ftp to the 6th int/group. Should be as simple as:

access-list blah permit tcp <3rd int ip> <mask> <6th int ip> <mask> eq ftp

and do the same for &quot;ftp-data&quot;

apply this to the &quot;3rd&quot; interface since the pix sees everything as incoming to the interface.

Make sure you also put in a rule to allow ftp-data from the 6th int/group to the 3rd int/group inbound on the 6th interface.





Bryan

 

[netwalker1]

Well techracer74 :
If I want a group in the 3rd interface to FTP or HTTP any thing on the Internet , which is connected to the 6th interface ,,
shall the last solution works ?

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[techracer74]

Yes, that should work.

 

[netwalker1]

Nop , it doesn't !

I made a rule to allow all the HTTP traffic from ( the 3rd interface group ) to the PIX's IP of the 6th interface
--> Doesn't work

I made a rule to allow all the HTTP traffic from ( the 3rd interface group ) to the PAT IP of the 3rd group on the 6th interface
--> Doesn't work


Any advise ?

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[netwalker1]

any news ?

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[netwalker1]

I still want to enable the user on the 3rd interface to HTTP anything connected to the 6th inetrafce , without let them HTTP anything attached to the 1st , and to the 2nd interface !!

How can I do this ?

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[netwalker1]

any ideas ?!

Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[dopehead]

Hmm, maybe you should post the acls as they are now after all the changers you made....

Jan

Network Systems Engineer
CCNA/CQS/CCSP