Permit and deny services

[tomim]

I tried to configure my router so that only 4 services are accesibel from outside. My question is in the the forum one week ago and the Solution what i became was good but not for my situation. It was based on URL filtering or IP filtering. What I need is different. My cisco PIX router is between the server and the WAN. Server has intern ip 192.168.1.100 and will be used only for special sevices. I will to let access only to the vnc, http and a certain range of ports, which will be used for Lotus Notes f. i 1352 to 1364 from outside. This are tcp ports 5800,5900 and 80,1352.
All other Ports should be closed. How look the Commands like for this configuration?
What I have at the time is this:
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq 5800
access-list inbound permit udp any any eq 5800
access-list inbound permit udp any any eq 5900
access-list inbound permit tcp any any eq 5900
access-list inbound permit tcp any any range 1352 1364
/* And to close all oher Ports I have this command, but it has no effect and I see my voip application, which run onport 3080 has just access to outside and become data from there!
*/
access-list outbound deny ip any any
..........................................
ip address outside pppoe setroute
global (outside) 1 interface

static (inside,outside) tcp interface

http://www 192.168.1.100

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface 5800 192.168.1.100 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 192.168.1.100 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5900 192.168.1.100 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5800 192.168.1.100 5800 netmask 255.255.255.255 0 0
access-group inbound in interface outside
.....................................
And if i use the command : Access-group outbound in interface inside i have no access to the internet on the server.
I hope you can help

thanks

 

[lgarner]

Your access-list inbound is right and will block incoming connections other than what's permitted.

I'm confused by your comment regarding the voip app. Do you mean that this app is running on your server and can access the internet? This would be normal unless you block outbound traffic by an acl on the inside interface.

If you apply the outbound ACL to the inside interface, you won't have any internet access at all- that's how it's written.

 

[br0ck]

Here you go

You lose internet because you shut off dns, I have added it for you

OUTSIDE

access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq 5800 
access-list inbound permit udp any any eq 5800 
access-list inbound permit udp any any eq 5900 
access-list inbound permit tcp any any eq 5900 
access-list inbound permit tcp any any range 1352 1364
access-list inbound deny ip any any
access-group in interface outside

STATIC

static (inside,outside) tcp interface [URL unfurl="true"]www 192.168.1.100[/URL] [URL unfurl="true"]www netmask[/URL] 255.255.255.255 0 0 
static (inside,outside) tcp interface 5800 192.168.1.100 5800 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5800 192.168.1.100 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 192.168.1.100 5900 netmask 255.255.255.255 0 0 
static (inside,outside) udp interface 5900 192.168.1.100 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface [URL unfurl="true"]www 192.168.1.100[/URL] [URL unfurl="true"]www netmask[/URL] 255.255.255.255 0 0

static (inside,outside) tcp interface 1352 192.168.1.100 1352 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1353 192.168.1.100 1353 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1354 192.168.1.100 1354 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1355 192.168.1.100 1355 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1356 192.168.1.100 1356 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1357 192.168.1.100 1357 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1358 192.168.1.100 1358 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1359 192.168.1.100 1359 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1360 192.168.1.100 1360 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1361 192.168.1.100 1361 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1362 192.168.1.100 1362 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1363 192.168.1.100 1363 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1364 192.168.1.100 1364 netmask 255.255.255.255 0 0

INSIDE

access-list outbound permit tcp any any eq www
[COLOR=red]access-list outbound permit tcp any any eq 53[/color]
access-list outbound permit tcp any any eq 5800 
access-list outbound permit udp any any eq 5800 
access-list outbound permit udp any any eq 5900 
access-list outbound permit tcp any any eq 5900 
access-list outbound permit tcp any any range 1352 1364
access-list outbound deny ip any any
access-group in interface inside

 

[br0ck]

typo!

there is an extra:

static (inside,outside) tcp interface

http://www 192.168.1.100

http://www netmask

255.255.255.255 0 0

sorry

 

[tomim]

Igarner,
Your access-list inbound is right and will block incoming connections other than what's permitted.

>I'm confused by your comment regarding the voip app. Do you mean that this app is >running on your server and can access the internet?
Yes, on port 3080

>This would be normal unless you block outbound traffic by an acl on the inside interface.
how do you mean it, I put this command to block everything else than my 4 services but it has no effection. F.i the voip application access still internet:
access-list outbound deny ip any any
could you write the command which block everything else like the voip?


>If you apply the outbound ACL to the inside interface, you won't have any internet access at >all- that's how it's written
What I define actually with this command: access-group inbound in interface outside
I understand it maybe others than you!

 

[tomim]

hi br0ck,
thanks again. I did it like it above.There are still problems. I think the problem is somewhere else. The router has a wizard. Each time ,when i put a new rule via the command line i see it in the web nterface only if i put outbound commands like access-list outbound...
the wizard dont add the new rules and in the wizard interface i dont see them. I think the router dont interprate this rules and therfore it has no effection (and no host can access outside)
Important: before i put this outbounds rule i deny an implict rule which norrmaly come with teh default configuration of router and allow fully mostly access to all
applications, services and protokolls.
I prepared some screen shots which maybe i could send to see more before it confuse more???
my icq:473468104
my skype:henry1342

 

[br0ck]

enable telnet on the pix and log in that way.

telnet 0 0 inside

(sorry i don't know the PDM at all, i only use CLI)

you can download putty to connect to the pix

http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

login as:pix
telnet password
enable password

type:

config terminal

type:

clear access-list
clear static

this will remove all old lists (starting over)



from here paste

access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq 5800 
access-list inbound permit udp any any eq 5800 
access-list inbound permit udp any any eq 5900 
access-list inbound permit tcp any any eq 5900 
access-list inbound permit tcp any any range 1352 1364
access-list inbound deny ip any any
access-group inbound in interface outside

static (inside,outside) tcp interface [URL unfurl="true"]www 192.168.1.100[/URL] [URL unfurl="true"]www netmask[/URL] 255.255.255.255 0 0 
static (inside,outside) tcp interface 5800 192.168.1.100 5800 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5800 192.168.1.100 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 192.168.1.100 5900 netmask 255.255.255.255 0 0 
static (inside,outside) udp interface 5900 192.168.1.100 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1352 192.168.1.100 1352 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1353 192.168.1.100 1353 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1354 192.168.1.100 1354 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1355 192.168.1.100 1355 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1356 192.168.1.100 1356 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1357 192.168.1.100 1357 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1358 192.168.1.100 1358 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1359 192.168.1.100 1359 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1360 192.168.1.100 1360 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1361 192.168.1.100 1361 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1362 192.168.1.100 1362 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1363 192.168.1.100 1363 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1364 192.168.1.100 1364 netmask 255.255.255.255 0 0

access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq 53
access-list outbound permit tcp any any eq 5800 
access-list outbound permit udp any any eq 5800 
access-list outbound permit udp any any eq 5900 
access-list outbound permit tcp any any eq 5900 
access-list outbound permit tcp any any range 1352 1364
access-list outbound deny ip any any
access-group outbound in interface inside

type:

write me
exit
exit

Done and test

 

[br0ck]

Let me know if there are any other problems

Br0ck-

 

[tomim]

thanks a lot for this detailed solution.
It was very helpful

regards

 

[Dustinn3]

Tomim,

Just for security reasons I would not allow external access to VNC. I learned it the hard way a few weeks back. I just opened it up for a day for a company to do some remote troubleshooting on their system and it got hacked. Use a vpn.

 

[prince78]

hi

This is a nice thread. Just want to relate my problem with this thread. Today I had a problem while setting up VPN from site-to-site. I have acls to allow all local traffic to remote network via the vpn as interesting traffic through crypto map without natting. I have all other traffic going through a default route which is GW of the router. And I havent created any specific acls from inside to outside.

access-list nonat extended permit ip 20.0.14.0.255.255.255.0 20.0.24.0 255.255.255.0
access-list cryptomap extended permit ip 20.0.14.0.255.255.255.0 20.0.24.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 20.0.14.0 255.255.255.0
crypto map map1 18 match address cryptomap
route outside 0.0.0.0 0.0.0.0 65.154.19.149 1

And I wasnt able to browse internet from my LAN. If no specific acls are mentioned, I believe I am allowing anything from inside to outside. Am I missing something?

please advise..thanks