object-group command with access-list not working properly

[PIXFirewall]

I am using Cisco PIX version 6.2(2).


object-group network norm_nat_hosts
network-object 192.168.11.1 255.255.255.255
network-object 192.168.11.2 255.255.255.255
network-object 192.168.11.3 255.255.255.255
network-object 192.168.11.4 255.255.255.255
object-group service norm_allow_ports tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp-data
port-object eq ftp
port-object eq 8100
port-object eq 8080
access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports


But, I find that each of those host in norm_nat_hosts are allowed to open all ports from their machines instead of those specified in norm_allow_ports.

But, if I put each host seperately (as shown below), then only those allowed ports are opened.


access-list acl4inside permit tcp host 192.168.11.1 eq

http://www any

access-list acl4inside permit tcp host 192.168.11.1 eq 53 any
access-list acl4inside permit tcp host 192.168.11.1 eq 443 any
access-list acl4inside permit tcp host 192.168.11.1 eq 20 any
.........
.......etc


This will go to 28 lines. While the new syntax is supposed to do the same in lesser number of lines.

What have I done wrong ?

 

[baddos]

When you put the new access-list acl4inside statement in the PIX, does it take it or give an error?

 

[PIXFirewall]

Yes, The access-list is accepted by PIX. My objective is to convert from the old outbound syntax to new access-list syntax and preferably to access-list with object group for simplicity.


Details are as follows:

Old configuration:

global (outside) 1 62.12.4.19
nat (inside) 1 192.168.11.11 255.255.255.255 0 0
outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp
outbound 10 permit 192.168.11.11 255.255.255.255 80 tcp
apply (inside) 10 outgoing_src

New sysntax:

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

global (outside) 1 62.12.4.19
nat (inside) 1 192.168.11.11 255.255.255.255 0 0
access-list 101 permit tcp host 192.168.11.11 any eq 80
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 62.12.4.1 1

In the first case only port 80 is allowed out. All others are blocked. In the new sysntax, all ports are allowed out from 192.168.11.11/24 on the inside interface.

What is wrong in this configuration? I am using PIX 6.2(2)

 

[baddos]

It looks correct to me if that is all of the access-list 101. Try issuing a clear xlate. Also make sure that the outbound still isn't "apply"d.

One thing that might help is this.

access-list 101 permit tcp host 192.168.11.11 any eq 80
access-list 101 deny ip any any
access-group 101 in interface inside

Then do some testing on the 192.168.11.11 host and do a show access-lists on the PIX. It should show something like this:

access-list 101 permit tcp host 192.168.11.11 any eq

http://www (hitcnt=16)

access-list 101 deny ip any any (hitcnt=6)

Look for the hitcounts on the access list entries to see where the data is getting permited or denied.

-Bad Dos

 

[THORNTONR]

access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports

Shouldn't it be stated like this?

access-list acl4inside permit object-group norm_allow_ports
object-group norm_nat_hosts any

 

[PIXFirewall]

I have done the following:

access-list 101 permit tcp host 192.168.11.11 any eq 80
access-list 101 deny ip any any
access-group 101 in interface inside

After some testing (for ports www, smtp, ssh etc.), the show access-list command gives the following output:-

access-list 101 permit tcp host 192.168.11.11 any eq

http://www (hitcnt=0)

access-list 101 deny ip any any (hitcnt=46)

This would be interpreted as follows - all ports are going to the deny statement rather than allowing port 80 traffic.

What next ?

 

[PIXFirewall]

This happens when the access-list is applied to the inside interface. If not applied, then all ports are allowed as traffic from the more secure interface is allowed by default to go to the less secure interface. If applied, nothing is allowed to go out....why ?

 

[baddos]

Are you on the 192.168.11.11 host when you run these test? The access-list above ONLY allow 192.168.11.11 to go outbound via TCP port 80. Every other outbound traffic will be denied.

 

[PIXFirewall]

yes, i am on 192.168.11.11/24 host when i am running these tests.

 

[baddos]

Please post the config so we can see everything that is going on. Go ahead and mask the public ips and passwords though.

-Bad Dos

 

[yizhar]

HI.

I don't know why it didn't work for you, maybe there is a problem combining 2 object-group in the same line.
You should note that the object-group commands are for simplicity only, but the pix will break them to each element when parsing the configuration files, so there is no performance gain from the pix machine point of view.

Instead of "object-group network norm_nat_hosts", try to specify each host for example:
access-list acl4inside permit tcp host 192.168.11.1 any object-group norm_allow_ports
access-list acl4inside permit tcp host 192.168.11.2 any object-group norm_allow_ports
etc...
Or better, try to use subnets instead of hosts, for example:
access-list acl4inside permit tcp 192.168.11.0 255.255.255.248 any object-group norm_allow_ports
(Which will apply to the range 192.168.11.0-192.168.11.7)

You should also allow UDP port 53 for DNS.
The configuration you posted above allows only TCP ports, which is not enough and will block DNS traffic.

> port-object eq ftp-data
No need to open ftp-data, because the pix fixup engine will inspect the ftp control session and will open additional ports for data as needed on the fly.

Try also to use PDM for the task of managing complex access-list, it supports the object groups command.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar