PIX ACL issue - Deny Internal Access to External Network

Unanswered Question
Jun 30th, 2007

We are in the process of adding a wireless network to the existing LAN. The requirement is that wireless clients have access to the internet, and occasionally access to the internal webserver. But, at no time should wireless clients be able to access anything on the internal LAN.

So any ACL that blocks out the LAN network would of course block out the gateway, at least that is what has seemed to happen. Here is how the networks are configured:

PIX506 (1) (63.xx.xx.xxx - 192.168.2.1) Primary business LAN

PIX506 (2) (192.168.2.30 - 192.168.3.1) Wireless Network

To date every ACL I have tried either blocks ALL access, meaning I can not access the 2.0 network, but also the internet. Or I get full access to both the internet and 2.0 network.

What I want is people on the 3.0/24 network to access the internet and one webserver on the 2.0/24 network

Here are two ACLs I have tried last:

access-list 101 permit tcp 192.168.3.0 255.255.255.0 host 192.168.2.1 255.255.255.255

access-list 101 deny tcp 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

This is the original one I tried which was given to me by some Cisco engineers, yet when this did not work they had no answers on what to do next unfortunately:

access-list 101 permit ip 192.168.3.0 0.0.0.255 host 192.168.2.4

access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

Am I incorrect in thinking the PIX can do what I want it to? It seems that I should, but I just need to get the ACL down correctly.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
glynnd Sat, 06/30/2007 - 19:57

The acl that the cisco engineers gave you is correct.

Is the inside ip address of the pix on the wireless network 192.168.3.1?

If so, you need to apply acl 101, incoming into the (inside) interface.

Make sure you create the acl 101 in the exact order that those engineers gave you

twaite Sun, 07/01/2007 - 10:14

192.168.3.1 is the inside interface to the PIX connected to the wireless network.

I have applied that configuration, except it does not accept subnet 0.0.0.255. If I switch that to 255.255.255.0 the command is entered. At the moment I do have internet access, but I can also access a machine on the internal network, I just go to explorer and do \\192.168.2.5 and can open of that machines shares.

But now I have the following:

access-list inside_access_in permit ip any host 192.168.2.1

access-list inside_access_in permit ip any host 192.168.2.123

access-list inside_access_in deny ip any 192.168.2.0 255.255.255.0

access-list inside_access_in permit ip any any

At the moment I do not have "nat (inside) 0 access-list inside_access_in" and everything seems to work fine. I can access the internet, access the machine at 192.168.2.123, but can not see or access any other device on the 2.0/24 network which is exactly how I want it.

Mind you I have this set up at the moment at home. Now I just have to switch from DHCP to static on the outside interface and switch from PAT to NAT. I am going to need to be able to access several devices from withing the 2.0/24 network to inside the firewall's 3.0/24 network (wireless controller, etc..) I assume then that this should not cause a problem as the access list was the key to my problems and not anything to do with NAT or PAT, or anything else?

glynnd Fri, 07/06/2007 - 20:28

if the wireless network should be treated as hostile, why did you decide to make the 192.168.3.1 interface the "inside" interface on the PIX. Shouldn't you make it the outside interace.

Actions

This Discussion