Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Firewall ver 5.3 access-list question

Status
Not open for further replies.
Zahundas

Zahundas

IS-IT--Management
Sep 9, 2002
19
0
0
CA
Hi,
I am trying to open the traffic between a Lyris bulk email server located outside the firewall and a SQL server located on the LAN, inside the firewall.
Specifically I want to open the following ports: 2020, 2021, 119, 25, 80, 81, and 1933 for the Lyris server with the ip address w.x.y.z.
The SQL server inside the firewall has the following ip: a.b.c.d.

This is what I came up with for opening all the TCP and UDP traffic:

access-list 140 permit tcp any w.x.y.z host a.b.c.d
access-list 140 permit udp any w.x.y.z host a.b.c.d
access-group 140 in interface inside

I would like to be able to specify just the ports I need to open, instead having all the TCP and UDP ports opened.

Thanks in advance.

Zahundas



 
Sort by date Sort by votes
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 80
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 81
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 119
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 2020
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 2021
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 25
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 1993

This access-list should work. It just specifies tcp, but you get the idea.
-gbiello
 
Upvote 0 Downvote
Thank you very much for your help gentleman.
I appreciate it.

Regards,
Zahundas
 
Upvote 0 Downvote
Do I have to add a
access-list 140 permit ip any any"
statement at the end of the list with permissions?
I have added the access-list without this statement and I had connectivity problems with some other servers.
I am affraid that this statement will open up wide all the IP traffic to the inside network.


Thanks,
Zahundas
 
Upvote 0 Downvote
Yep. Better paste your whole config here so we can have a look-see. Remember to do what Yizhar said and apply it to the outside interface, not the inside.
-gbiello
 
Upvote 0 Downvote
Hi,
This is the configuratin of my access-list 140:
access-list 140 permit tcp host w.x.y.z host a.b.c.d. eq www
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 81
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq nntp
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 2020
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 2021
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq smtp
access-list 140 permit tcp host w.x.y.z host a.b.c.d eq 1993
access-list 140 permit udp host w.x.y.z host a.b.c.d eq 80
access-list 140 permit udp host w.x.y.z host a.b.c.d eq 81
access-list 140 permit udp host w.x.y.z host a.b.c.d eq 119
access-list 140 permit udp host w.x.y.z host a.b.c.d eq 2020
access-list 140 permit udp host w.x.y.z host a.b.c.d eq 2021
access-list 140 permit udp host w.x.y.z host a.b.c.d eq 25
access-list 140 permit udp host w.x.y.z host a.b.c.d eq 1993
access-list 140 permit tcp host w.x.y.z host k.l.m.n eq 2020
access-list 140 permit tcp host w.x.y.z host k.l.m.n eq 2021
access-list 140 permit tcp host w.x.y.z host k.l.m.n eq nntp
access-list 140 permit udp host w.x.y.z host k.l.m.n eq 2020
access-list 140 permit udp host w.x.y.z host k.l.m.n eq 2021
access-list 140 permit udp host w.x.y.z host k.l.m.n eq 119
access-list 140 permit tcp host w.x.y.z host k.l.m.n eq 1433
access-list 140 permit udp host w.x.y.z host k.l.m.n eq 1433
access-list 140 permit ip any any
access-group 140 in interface outside
I've added everything above first without the line
access-list 140 permit ip any any
and I had problems with other servers, including my web server, not being able to connect to my SQL server inside the firewall.
As soon as I inserted the access-list 140 permit ip any any line everything worked.
My main concern at this moment in that adding the "permit ip any any" opens wide all the ip ports to anyone outside the firewall.

Thanks,
Zahundas
 
Upvote 0 Downvote
HI.

You should remove the permit ip any any line because your concern is correct - it will allow any inbound traffic in your case.

You should reconsider your network design, as maybe a more complete change is needed.

For the meanwhile you might need something like this:
access-list 140 permit ip host webserver host sqlserver
But remember that if an attacker gets control of your web server, from there it can continue to access the internal network.

I suggest that you make a new scratch network design that is more secure, ignoring what you currently have, and then plan how to implement it or similar design from the current status, purchasing hardware and reconfiguring as needed.
Asking a networking and security consultant to asist can also help.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for your help Yizhar.
I will follow your advice.

Regards,
Zahundas
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
152
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
177
Shmid
Shmid
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
71
hairlessupportmonkey
hairlessupportmonkey
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
36
xwray
xwray
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
51
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top