PIX Access Lists ignored... 1

[marsmann]

Hi all,

Using PIX 506 v6.2(2) between 2 networks.

Trying to prevent users on inside from accessing any services on the outside other than specified services/hosts per access-lists.

Have setup something like below:

inside IP: 10.10.10.254 /24
outside IP: 99.99.99.99 /24

access-list outbound permit udp any any
access-list outbound permit tcp any eq www
access-list outbound permit tcp any host 99.99.99.98
access-list outbound deny ip any 99.99.99.0
access-list outbound permit ip any any

access-group outbound in interface outside


the goal is to only allow udp based connections, web services to any host and full access to only 1 host. But, the above allows all traffic through, any service (i.e. telnet, ftp, etc) and ignores the deny ip any 99.99.99.0 - it allows anyone inside the PIX to access ANY host on that segment with all services.

what am I missing? Thanks in advance.

 

[haknwak]

Remember - you're controlling traffic that originated on the inside interface - that's where you need to apply this ACL. You need two - traffic controlled to/from the public Internet to your 99 addressed devices goes on the outside. You need to split this ACL up into two.

good read on building ACL - remember this is for routers but the logic holds truw where it defines "in" and "out".

http://www.cisco.com/warp/customer/707/confaccesslists.html#masks

(you need a CCO login to see it.)

"Applying ACLs
You can define ACLs without applying them. However, the ACLs will have no effect until they are applied to the router's interface. It is a good practice to apply the ACL on the interface closest to the source of the traffic. As shown in the example below, when you are trying to block traffic from source to destination, you can apply an inbound ACL to E0 on router A instead of an outbound list to E1 on router C.



Defining In, Out, Source, and Destination
The terms "in", "out", "source", and "destination" are used as referenced by the router. Traffic on the router could be compared to traffic on the highway. If you were a law enforcement officer in Pennsylvania and wanted to stop a truck going from Maryland to New York, the truck's source would be Maryland and the truck's destination would be New York. The roadblock could be applied at the Pennsylvania–New York border ("out&quot or the Maryland–Pennsylvania border ("in&quot.

When referring to a router, these terms have the following meanings.

Out - Traffic that has already been through the router and is leaving the interface; the source would be where it's been (on the other side of the router) and the destination is where it's going.

In - Traffic that is arriving on the interface and which will go through the router; the source would be where it's been and the destination is where it's going (on the other side of the router).
The "in" ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The "out" ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied."

"If you lived here, you'd be home by now!"

George Carlin

 

[haknwak]

let me clarify and simplify -

traffic inside interface ----> outside interface
(higher security) (lower security)
is controlled by ACL on the inside interface

traffic inside interface ---> public Internet
(higher security) (lower security)
is controlled by ACL on the inside interface

traffic public Internet -----> outside interface
(lower security) (higher security)
in controlled by ACL on the outside interface

read this as well

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mngacl.htm#xtocid2

"If you lived here, you'd be home by now!"

George Carlin

 

[marsmann]

Hey,

thanks for the followup.

I originally had two acl's bound to both inside and out by 2 access-groups. It didn't work at all, but I may have missed something.

I will rebuild the 2 lists, and try again to see.....

thanks. stay tuned....