Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple Interfaces access problems

Status
Not open for further replies.
fritz101

fritz101

IS-IT--Management
Dec 11, 2001
34
US
I've got several interfaces on my PIX - outside, DMZ, LAN, inside (in increasing order of security). Right now, all hosts on all networks can access the Internet using PAT, and initiate connections to any host on a lower security level interface. Also, servers on the DMZ are accessible via specific ports from the Internet. There is also site to site VPN. OK, this is all how its supposed to be so far. The problem I encounter is trying to permit specific hosts from the LAN to the Inside, using Inside hosts real (no NAT) IP addresses. When I enter commands to permit access from the LAN to the Inside, my Internet connectivity from the LAN interface breaks. Here are the commands I'm using to permit LAN to Inside (blanket rule for entire subnet just to test - will only allow specific hosts when I get this figured out):
(LAN network is 192.168.3.0, Inside network is 192.168.101.0)

access-list LAN_to_inside permit ip 192.168.3.0 255.255.255.0 192.168.101.0 255.255.255.0
static (inside,LAN) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
access-group LAN_to_inside in interface LAN

OK, first off, I don't understand why the access-list is being applied to incoming traffic on the LAN interface, when the traffic is really from the LAN interface to higher-security interface Inside.
Next, I am wondering if theres any way to achieve what I'm trying to do - not use any NAT on my internal networks, permit traffice to lower level interfaces, allow specific hosts access to high level interfaces, have outgoing PAT taking place for the Internet, and my site to site VPN.

Heres my current config, without any access to higher-level interfaces:

PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security40
nameif ethernet3 Lan security60
[-- Acl 101 & 103 to allow connections within internal networks --]
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 103 permit icmp any any echo-reply
access-list 103 permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
[-- Acl acl_out permit access to servers from Internet --]
access-list acl_out permit tcp any host MY.PUBLIC.IP.170 eq smtp
[-- Acl 100 for VPN: permit inside network and specific LAN hosts to remote network --]
access-list 100 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 100 permit ip host 192.168.3.79 192.168.100.0 255.255.255.0
ip address outside MY.PUBLIC.IP.130 255.255.255.192
ip address inside 192.168.101.1 255.255.255.0
ip address DMZ 192.168.0.1 255.255.255.0
ip address Lan 192.168.3.1 255.255.255.0
[-- Interface PAT for outgoing Internet access --]
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
nat (DMZ) 1 192.168.0.0 255.255.255.0 0 0
nat (Lan) 0 access-list 103
nat (Lan) 1 192.168.3.0 255.255.255.0 0 0
[-- example of a static NAT being used, and the acl_out used to permit access --]
static (DMZ,outside) MY.PUBLIC.IP.170 192.168.0.170 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 MY.PUBLIC.IP.129 1
[-- VPN Config --]
sysopt connection permit-ipsec
crypto ipsec transform-set tunnelset esp-des esp-md5-hmac
crypto map tunnelmap 10 ipsec-isakmp
crypto map tunnelmap 10 match address 100
crypto map tunnelmap 10 set peer MY.REMOTE.IP.145
crypto map tunnelmap 10 set transform-set tunnelset
crypto map tunnelmap interface outside
isakmp enable outside
isakmp key ******** address MY.REMOTE.IP.145 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
: end

I've been tinkering with this thing for weeks, trying to get it to work. Thanks for any advice you can offer, but please provide some detail if you can.
 
Sort by date Sort by votes
At the end of every ACL there is an implicit deny all so your access list really looks like this:

access-list LAN_to_inside permit ip 192.168.3.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list LAN_to_inside deny ip any any


This means that every packet that is not match by the first entry will be denied. You need to allow ALL traffic needed. Your static translation is fine you can configure the PIX to translate a host to itself, which is what you are doing with your static translation. Check out the link below it is an excellent guideline on static and access lists:

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
800
Shmid
Shmid
handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
112
handle2110
handle2110
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
140
gbayi_omo
gbayi_omo
Shad0wguy
  • Locked
  • Question
Unable to ping specific IP across interfaces, can ping on same interface
Replies
6
Views
349
Shad0wguy
Shad0wguy
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
149
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top