Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Access-lists

Status
Not open for further replies.
MDewayne

MDewayne

MIS
Jun 28, 2002
2
US
Can someone please help the slow kid!!!. I have a PIX to PIX VPN and I want to only allow access to a specific host on a specific port, but it's not working cause I don't believe my ACL is correct. Can someone help me out ??


This works:
access-list Remote_VPN permit ip host 10.254.10.12 10.250.12.0 255.255.255.0
access-list Nonat-VPN_Traffic permit ip host 10.254.10.12 10.250.12.0 255.255.255.0

This doesn't:

What am I doing wrong ??.
access-list Remote_VPN permit ip host 10.254.10.12 10.250.12.0 255.255.255.0 eq www
access-list Nonat-VPN_Traffic permit ip host 10.254.10.12 10.250.12.0 255.255.255.0 eq www

What am I doing wrong ??.
 
Sort by date Sort by votes
How about this:

access-list Remote_VPN permit tcp host 100.254.10.12 10.250.12.0 255.255.255.0 eq www
access-list Nonat_VPN_Traffic permit tcp host 10.254.10.12 10.250.12.0 255.255.255.0 eq www

This will only allow port 80 web traffic. Without a third line to permit ip any any, you'll drop any other traffic. Remember, ip doesn't look at the ports. If you want to look at ports, you have to go up to layer 4 and TCP.
 
Upvote 0 Downvote
Cluebird,

I'm sorry, I posted my ACL incorrectly, actually, I have actually what you suggested, but it's not working. I had the admin on the other side use the same ACL except switch
it around and make 10.250.12.0 firs in his ACL, but he says it doesn't work.

access-list Remote_VPN permit tcp host 10.254.10.12 10.250.12.0 255.255.255.0 eq www
access-list Nonat-VPN_Traffic permit tcp host 10.254.10.12 10.250.12.0 255.255.255.0 eq www

Is this a valid PIX ACL ??

access-list 102 permit ip 192.168.11.0 255.255.255.0 eq 10.161.210.101
 
Upvote 0 Downvote
MDewayne,

I need more information. What version of code are you running on the PIXen? Are you terminating the VPNs on the outside interface? Are you getting xlates? What interfaces are involved? The access-lists have to inspect based on the way the packets look coming in to the interface. Where are you applying the access-list? Are you logging for hits against the access-lists to see if they're even being used? Right now, I'm guessing in the dark. Can you post your configs?

Regarding the valid ACL: You're permitting ip so the transport layer port 80 won't be inspected because any ip traffic is permitted between the addresses.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
367
Shmid
Shmid
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
138
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top