Pix 515E ACL Layouts

robward · ‎05-16-2007

I'm configuring a 515E for the first time and it has five interfaces configured. It's running in routed mode in a single context. I'm used to transperent mode and multiple contexts so I'm unsure about the orientation of the ACL's.

I'm trying to allow traffic in from the outside to webservers in the DMZ. I've set up static NAT for each server with a public address on the outside and a private address on the inside.

ASDM say's the ACL entries are incomplete, have I got something wrong?:

name 10.0.x.x DOTNET01i1

name 195.58.x.x DOTNET01i1-OUT

!

static (DMZ,outside) DOTNET01i1-OUT DOTNET01i1 netmask 255.255.255.255

!

object-group network ALL-DMZ-www

description All DMZ web servers

network-object DOTNET01i1 255.255.255.255

!

object-group network Public_Web_Servers

description All web servers with public routable addresses

network-object DOTNET01i1-OUT 255.255.255.255

!

object-group service http_and_https tcp

description TCP Ports 80 and 443

port-object eq www

port-object eq https

!

access-list inbound extended permit tcp any object-group Public_Web_Servers object-group http_and_https

!

access-list DMZ-inbound extended permit tcp any object-group ALL-DMZ-www object-group http_and_https

!

access-group inbound in interface outside

access-group DMZ-inbound in interface DMZ

Any pointers appreciated!

Jon Marshall · ‎05-16-2007

Hi

It should make a difference as far as the acl's are concerned whether you use contexts or not.

If you just want to allow web traffic through from outside to DMZ then you do not need the access-list DMZ-inbound and the access-group DMZ-inbound statements. These are only needed it the servers in the DMZ need to talk to web servers on the Internet.

Try and clear the unnecessary entries and see if ADSM is happy. Unfortunately i don't use ADSM myself. What i have noticed though is that you can't configure some of the firewall from the CLI and some with ADSM without ADSM complaining.

HTH

Jon