Pix Firewall Access Rules Question

[Nomarian]

Thanks in advance for any help.

I have configured our PIX 515 firewall with the rules down below. Everything works fine until I delete the first rule with regards to the permit anything. Once I delete that rule, we lose access to pretty much everything. I thought that if I put in rules that specified what is allowed with explicit deny at the end this should work. Can anyone look this over and help? I want to lock down the network and only allow the customer service groups listed access out.

access-list inside_access_in extended permit ip 172.18.0.0 255.255.0.0 any
access-list inside_access_in extended deny tcp any object-group BinaryNewsGroups any object-group BinaryNewsGroups
access-list inside_access_in extended deny tcp any object-group BitTorrent1 any object-group BitTorrent1
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group DNS_ALL any object-group DNS_ALL
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group RDP any object-group RDP
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group Ichat any object-group Ichat
access-list inside_access_in extended deny tcp any object-group WOW-All any object-group WOW-All
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group Petrobras any object-group Petrobras inactive
access-list inside_access_in extended permit udp 172.18.0.0 255.255.0.0 object-group Petrobras any object-group Petrobras inactive
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group Email-All any object-group Email-All
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group FTP-All any object-group FTP-All
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group Google_Talk any object-group Google_Talk
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group ICQ any object-group ICQ
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group IMAP-All any object-group IMAP-All
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group MAC_Email any object-group MAC_Email
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group MSNMessenger any object-group MSNMessenger
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group POP_Mail any object-group POP_Mail
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group PolyCom any object-group PolyCom
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group SSH-All any object-group SSH-All
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group SharePoint any object-group SharePoint
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group Telnet-All any object-group Telnet-All
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group VNC any object-group VNC
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group VPN any object-group VPN
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group Web-All any object-group Web-All
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group WebEx any object-group WebEx
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 object-group Yahoo_Messenger any object-group Yahoo_Messenger
access-list inside_access_in extended deny ip any any
access-list inside_access_in extended deny tcp any any

Norman Moy
I hope I helped.

 

[Supergrrover]

Your ACLs and groups seem messed up. You have the object group as both the networks and the ports but with the same name???

It only works because you have the permit statement at the beginning.

Take a look at this -

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Nomarian]

Thanks for the tips. I have fixed and simplified the list to test web access. I disabled the first ACL and it will still not allow any type of web access. The service group has both Port 80 and 443, so the ports are correct. Any ideas?

access-list inside_access_in extended permit ip 172.18.0.0 255.255.0.0 any
access-list inside_access_in extended permit tcp any object-group Web-All any
access-list inside_access_in extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list inside_access_in extended deny tcp any object-group BinaryNewsGroups any
access-list inside_access_in extended deny tcp any object-group BitTorrent1 any
access-list inside_access_in remark Permit traffic from US LAN to India LAN via site-to-site VPN
access-list inside_access_in extended permit ip 172.18.0.0 255.255.0.0 172.19.0.0 255.255.0.0
access-list inside_access_in extended permit ip 172.18.72.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_access_in extended deny tcp any object-group WOW-All any
access-list inside_access_in extended deny ip any any

Norman Moy
I hope I helped.

 

[Supergrrover]

Could you post your entire config? Leave out passwords and mask the middle two octets of public IPs.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Nomarian]

Okay,

I have removed all relevant information. It is about as generic as you can get. Thanks for all your help.

Result of the command: "show running-config"

: Saved
:
PIX Version 7.0(2)
no names
name 172.18.64.0 DHCP-Workstations
name 172.18.16.0 Servers
name 172.18.16.50 BACK1
name 172.17.0.0 UK_Network
name 172.18.1.73 360HPF
name 207.xx.1xx.100 EVPN
name 172.18.0.0 lan
name 172.18.16.100 LIVE01
name 172.18.64.227 TGN
name 150.x.xx.150 mex_150
name 142.xx.xx.107 mex_81107
name 200.xx.xx.7 mex_7
name 142.xx.xx.107 mex_82107
name 142.xx.xx.13 MEX_13
name 150.xx.xx.200 mex_200
name 143.xx.xx.12 mex_12
name 10.200.10.10 EXT-DEM
name 172.19.0.0 India_LAN
name 172.20.1.0 Calgary_Network
name 10.xx.xx.8 FTP1
!
interface Ethernet0
nameif outside
security-level 0
ip address 70.xx.xx.126 255.255.255.128
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.18.1.1 255.255.0.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.200.10.1 255.255.255.0
!
interface Ethernet3
shutdown
nameif intf3
security-level 6
no ip address
!
interface Ethernet4
shutdown
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
security-level 10
no ip address
!
enable password
passwd
hostname -FW
domain-name local
ftp mode passive
clock timezone EST -5
clock summer-time CDT recurring
same-security-traffic permit intra-interface
object-group service rdp tcp
port-object range 3389 3389
port-object eq www
object-group service itunes tcp
port-object range 5353 5353
port-object range 42000 42999
port-object range 8000 8999
port-object range 3689 3689
object-group service mcafee_av tcp
port-object range 8080 8082
port-object range

http://www 81

port-object range 8801 8801
port-object range 8443 8444
object-group service mcafee_av_unt tcp-udp
port-object range 8080 8082
port-object range

http://www 81

port-object range 8801 8801
port-object range 8443 8444
object-group service pptp_group tcp-udp
port-object range 1723 1723
port-object range 47 47
object-group network mex
network-object host 142.xx.xx.13
network-object host 142.xx.xx.107
network-object host 142.xx.xx.107
network-object host 143.xx.xx.12
network-object host 150.xx.xx.150
network-object host 150.xx.xx.200
network-object host 200.xx.xx.7
object-group service BitTorrent1 tcp
port-object range 6881 6999
port-object range 6969 6969
port-object eq nntp
object-group service BinaryNewsGroups tcp
port-object range 8000 8000
port-object range 7000 7000
port-object range nntp nntp
port-object range 9000 9000
object-group service RDP tcp
port-object range 3389 3389
object-group service Ichat tcp
description Mac ICHAT
port-object range 5297 5298
port-object range 5090 5090
port-object range 5678 5678
port-object range 16384 16403
port-object range 5353 5353
port-object range sip sip
object-group service bras tcp-udp
description IPSEC VPN ports
port-object eq 10000
object-group service Web tcp
port-object eq www
port-object eq https
object-group service PolyCom tcp
port-object range 3603 3603
port-object range 3230 3235
port-object range 1731 1731
port-object range 1503 1503
port-object range ldap ldap
port-object range 1718 h323
object-group service MSNMessenger tcp
port-object range 1863 1863
object-group service VPN tcp
port-object range pptp pptp
port-object range 50 51
object-group service VPN-UDP udp
port-object range isakmp isakmp
object-group service Yahoo_Messenger tcp
port-object range 5000 50001
object-group service VNC tcp
port-object range 5800 5800
port-object range 5900 5900
object-group service WebEx tcp
port-object range 1270 1270
object-group service POP_Mail tcp
port-object range 995 995
port-object range pop3 pop3
object-group service SharePoint tcp
port-object range 445 445
port-object range 135 135
object-group service ICQ tcp
port-object range ident ident
port-object range aol aol
object-group service MAC_Email tcp
port-object range 993 993
port-object range 465 465
port-object range 587 587
object-group service Google_Talk tcp
port-object range 5222 5222
object-group service WOW-All tcp-udp
port-object eq 9097
port-object eq 3724
port-object range 9081 9090
port-object range 8086 8087
port-object eq 6881
port-object eq 6112
port-object eq 9100
object-group service SSH-All tcp-udp
port-object eq 22
object-group service Telnet-All tcp-udp
port-object eq 23
object-group service Email-All tcp-udp
port-object eq 465
port-object eq 25
object-group service IMAP-All tcp-udp
port-object eq 143
port-object eq 585
port-object eq 993
object-group service FTP-All tcp-udp
port-object eq 990
port-object eq 21
port-object eq 20
object-group service Web-All tcp-udp
port-object eq www
port-object eq 443
object-group service DNS_ALL tcp-udp
port-object eq domain
access-list outside_access_in extended permit tcp any any object-group Web-All
access-list outside_access_in remark Untrust to WEB1 DMZ HTTP
access-list outside_access_in extended permit tcp any host 70.xx.xx.2 eq www
access-list outside_access_in remark Untrust to DEMO
access-list outside_access_in remark Untrust to DEMO
access-list outside_access_in remark Untrust to DEMO
access-list outside_access_in remark Untrust to DEMO
access-list outside_access_in extended permit tcp any eq

http://www host

70.xx.xx.22 eq

http://www inactive

access-list outside_access_in extended permit tcp any host 70.xx.xx.22 eq www
access-list outside_access_in remark Untrust to WEB1 DMZ FTP
access-list outside_access_in remark Untrust to WEB2 DMZ FTP
access-list outside_access_in extended permit tcp any host 70.xx.xx.2 eq ftp
access-list outside_access_in remark Untrust to DNS1 DNS
access-list outside_access_in remark Untrust to DNS2 DNS
access-list outside_access_in extended permit esp object-group mex host 70.xx.xx.116
access-list outside_access_in extended permit udp object-group mex host 70.xx.xx.116 eq isakmp
access-list outside_access_in extended permit udp object-group mex host 70.xx.xx.116 eq 4500
access-list outside_access_in extended permit tcp 172.18.72.0 255.255.255.0 interface inside
access-list outside_access_in extended permit tcp any host 70.xx.xx.10 eq h323
access-list outside_access_in extended permit tcp 172.20.1.0 255.255.255.0 any
access-list outside_access_in extended deny ip any any
access-list dmz_access_in extended permit ip 10.200.10.0 255.255.255.0 any
access-list dmz_access_in extended permit ip 10.200.10.0 255.255.255.0 172.18.0.0 255.255.0.0
access-list dmz_access_in extended permit ip 10.200.10.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_access_in extended permit ip 172.18.0.0 255.255.0.0 any
access-list inside_access_in extended permit tcp 172.18.0.0 255.255.0.0 any object-group Web-All
access-list inside_access_in extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list inside_access_in extended deny tcp any object-group BinaryNewsGroups any
access-list inside_access_in extended deny tcp any object-group BitTorrent1 any
access-list inside_access_in remark Permit traffic from US LAN to India LAN via site-to-site VPN
access-list inside_access_in extended permit ip 172.18.0.0 255.255.0.0 172.19.0.0 255.255.0.0
access-list inside_access_in extended permit ip 172.18.72.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_access_in extended deny tcp any object-group WOW-All any
access-list inside_access_in extended deny ip any any
access-list inside_outbound_nat0_acl extended permit ip any 172.18.72.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.18.0.0 255.255.0.0 172.20.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.18.0.0 255.255.0.0 172.19.0.0 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list outside_cryptomap_120 extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.35.0 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip any 172.17.0.0 255.255.0.0
access-list dmz_outbound_nat0_acl extended permit ip 10.200.10.0 255.255.255.0 172.17.15.0 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip 10.200.10.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list split standard permit 172.17.0.0 255.255.0.0
access-list split standard permit 172.18.0.0 255.255.0.0
access-list outside_nat0_outbound extended permit ip host 70.xx.xx.3 host 194.xx.xx.174
access-list outside_nat0_outbound extended permit ip host 70.xx.xx.3 194.xx.xx.128 255.255.255.252
access-list outside_nat0_outbound extended permit ip 172.17.0.0 255.255.0.0 172.20.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.18.72.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list outside_cryptomap_40_1 extended permit ip host 70.xx.xx.3 host 194.xx.xx.174
access-list outside_cryptomap_40_1 extended permit ip host 70.xx.xx.3 194.xx.x.128 255.255.255.252
access-list outside_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list outside_cryptomap_140 extended permit ip 172.18.0.0 255.255.0.0 172.19.0.0 255.255.0.0
access-list outside_cryptomap_60_1 extended permit ip 172.18.0.0 255.255.0.0 172.20.1.0 255.255.255.0
access-list outside_cryptomap_60_1 extended permit ip 172.17.0.0 255.255.0.0 172.20.1.0 255.255.255.0
access-list outside_cryptomap_60_1 extended permit ip 10.200.10.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list outside_cryptomap_60_1 extended permit ip 172.18.72.0 255.255.255.0 172.20.1.0 255.255.255.0
no pager
logging enable
logging timestamp
logging monitor warnings
logging buffered debugging
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip local pool VPN-Pool 192.168.35.1-192.168.35.254 mask 255.255.255.0
ip local pool VPN-POOL 172.18.72.100-172.18.72.200 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
monitor-interface intf3
monitor-interface intf4
monitor-interface intf5
asdm image flash:/asdm-502.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.200.10.2-10.200.10.254 netmask 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 1 10.200.10.1 255.255.255.255
nat (dmz) 1 10.200.10.0 255.255.255.0
static (dmz,outside) 70.xx.xx.2 10.200.10.8 netmask 255.255.255.255
static (inside,dmz) 172.18.0.0 172.18.0.0 netmask 255.255.0.0
static (inside,outside) 172.18.0.0 172.18.0.0 netmask 255.255.255.0
static (inside,outside) 71.xx.xx.100 172.18.16.100 netmask 255.255.255.255
static (inside,outside) 70.xx.xx.116 172.18.64.227 netmask 255.255.255.255
static (dmz,outside) 70.xx.xx.10 10.200.10.100 netmask 255.255.255.255
static (inside,outside) 70.xx.xx.3 172.18.64.230 netmask 255.255.255.255
static (dmz,outside) 70.xx.xx.22 10.200.10.10 netmask 255.255.255.255 norandomseq
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 70.xx.xx.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 172.18.16.50
timeout 5
key H!orse$out
aaa-server RadAuth protocol radius
group-policy DfltGrpPolicy attributes
banner none
wins-server value 172.18.16.10 172.18.16.10
dns-server value 172.18.16.10 172.18.16.50
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy VPN internal
group-policy VPN attributes
vpn-idle-timeout none
wins-server value 172.18.16.10 172.18.16.50
dns-server value 172.18.16.10 172.18.16.50
dhcp-network-scope none
vpn-idle-timeout 30
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value local
user-authentication enable
ip-phone-bypass enable
username cisco password
aaa authentication ssh console
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
auth-prompt prompt Please authenticate
auth-prompt accept Welcome to the VPN
auth-prompt reject Authentication FAILED!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_cryptomap_40_1
crypto map outside_map 40 set peer 194.xx.xx.174
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60_1
crypto map outside_map 60 set peer 206.xx.xx.178
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer 217.xx.xx.153
crypto map outside_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set peer 59.xx.xx.47
crypto map outside_map 140 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
telnet 172.18.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.18.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) none
tunnel-group Employee type ipsec-ra
tunnel-group Employee general-attributes
address-pool VPN-POOL
authentication-server-group RADIUS LOCAL
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global_policy global
ntp authenticate
ntp server 172.18.16.50 source inside prefer
tftp-server inside 172.18.1.200 tftp\
management-access inside
Cryptochecksum:f410816d1b9bdb86f38ce98bd4283e98
: end

Norman Moy
I hope I helped.