Configuration - Access Help

[Riteon]

We have a very simple network with all PC's running POP3 direct to the web (no internal mailserver) through a PIX501 3DES and ADSL point.

I want to allow anyone access to the web but to restrict only one pc 192.x.x.45 to allow them to connect to their POP3 account and send mail from outlook.

Can someone do me a line?

I presume the next line would let anyone access their mail accounts and the web (am I correct?)

access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq www
access-list acl_in deny tcp host 192.x.x.45 any eq smtp

Secondly, how can I change the "404 Error, page cannot be displayed" to read "access preotected by firewall"

TIA

Riteon

 

[ChrisAC]

Your access-list will allow everyone access to

http://www and

smtp. You can't deny a users on line 3 when you have already permitted them on line one. You have to deny specific traffic first and then permit the other stuff.

If you want to deny user 192.x.x.45 from sending mail (I think that's what you're trying to do) then you need to change your ACL to something like:

access-list acl_in deny tcp host 192.x.x.45 any eq smtp
access-list acl_in permit udp any any eq 53
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq www

int eth0
access-group acl_in in interface inside

This will prevent smtp from said IP address and allow smtp and

http://www from

everything else.

Chris.



************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Riteon]

Hi Chris,

I have entered this but it won't allow my pc access to https addresses or newsservers. What am I doing wrong?
My PC is address is 192.168.1.15

I'm baffled!!!!

no access-list acl_in
access-list acl_in deny tcp host 192.168.1.11 any eq 80
access-list acl_in deny tcp host 192.168.1.11 any eq 1863
access-list acl_in deny tcp host 192.168.1.11 any eq www
access-list acl_in deny tcp host 192.168.1.11 any eq 443
access-list acl_in deny tcp host 192.168.1.11 any eq 53
access-list acl_in permit tcp host 192.168.1.11 any eq smtp
access-list acl_in permit tcp any any eq 53
access-list acl_in permit tcp any any eq 110
access-list acl_in permit tcp any any eq 119
access-list acl_in permit tcp any any eq 109
access-list acl_in permit tcp any any eq 80
access-list acl_in permit tcp any any eq 443
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq www
int eth0
access-group acl_in in interface inside
write mem

show access-list


Regards

Riteon

 

[ChrisAC]

Hmmmmm!! Do you have any access-lists on the outside interface that might be blocking the inbound traffic? Your inside ACL looks okay. There's nothing obvious stoping https and news.

Are you doing any logging that might show what is being blocked?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Riteon]

pixfirewall(config)# show access-group
pixfirewall(config)# show access-list
pixfirewall(config)# no access-list acl_in
ERROR: access-list <acl_in> does not exist
pixfirewall(config)# access-list acl_in deny tcp host 192.168.1.11 any eq 80
pixfirewall(config)# access-list acl_in deny tcp host 192.168.1.11 any eq 1863
pixfirewall(config)# access-list acl_in deny tcp host 192.168.1.11 any eq www
pixfirewall(config)# access-list acl_in deny tcp host 192.168.1.11 any eq 443
pixfirewall(config)# access-list acl_in deny tcp host 192.168.1.11 any eq 53
pixfirewall(config)# access-list acl_in permit tcp host 192.168.1.11 any eq sm$
pixfirewall(config)# access-list acl_in permit tcp any any eq 53
pixfirewall(config)# access-list acl_in permit tcp any any eq 110
pixfirewall(config)# access-list acl_in permit tcp any any eq 119
pixfirewall(config)# access-list acl_in permit tcp any any eq 109
pixfirewall(config)# access-list acl_in permit tcp any any eq 80
pixfirewall(config)# access-list acl_in permit tcp any any eq 443
pixfirewall(config)# access-list acl_in permit tcp any any eq smtp
pixfirewall(config)# access-list acl_in permit tcp any any eq www
pixfirewall(config)# int eth0
pixfirewall(config)# access-group acl_in in interface inside
pixfirewall(config)# write mem
Building configuration...

Then I go to (for instance)

http://www.dell.com

from my pc
(note: I checked ip address by ipconfig and it is 192.168.1.15) and I get a page cannot be found.

Go back to PIX

Type in 'no access-list acl_in'
and go back to my browser and hey presto,

http://www.dell.com

comes up.

I'm soooo confused. What you you reckon chris?

Riteon

 

[ChrisAC]

Yikes!! Don't know!!

Try logging your PIX so that you can see the denied traffic. The ACL looks okay so the problem might be elsewhere. Could you provide the entire config, edited for security?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Riteon]

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxx encrypted
passwd xxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.11 tony
access-list acl_in deny tcp host tony any eq www
access-list acl_in deny tcp host tony any eq 1863
access-list acl_in deny tcp host tony any eq 443
access-list acl_in deny tcp host tony any eq domain
access-list acl_in permit tcp host tony any eq smtp
access-list acl_in permit tcp any any eq domain
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq nntp
access-list acl_in permit tcp any any eq pop2
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq 443
access-list acl_in permit tcp any any eq smtp
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.1 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location tony 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.11-xx.xx.xx.99
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address tony-xx.xx.xx.42 inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80


How can I log the PIX Chris? or is this config enough?

Regards

Riteon