Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
2
Replies

Big changes to access-list creation between PIX 6 and 8?

cisco_moderator
Level 1
Level 1

‎10-16-2007 11:24 AM - edited ‎03-11-2019 04:26 AM

Hi everyone,

I have just updated a PIX 525 from software version 6x to 8x.

I have a question on how PDM in version 6x automatically converted access-lists so they worked with outside NAT addresses ? but in version 8x (using ASDM) this is not the case. This is causing me a major headache!

So previously in version 6x:

I created a NAT rule in PDM to translate the internal IP to external:

Inside server IP - 192.168.1.1

Outside NAT IP - 206.45.18.189

Resulting in:

static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255

I then created a new access rule in PDM to permit traffic from the outside to 192.168.1.1 on the inside for any host.

The resulting access-list visible in the config is:

access-list outside_access_in extended permit ip any host 206.45.18.189

Note how PDM has taken the inside address I specified and replaced it with the valid outside NAT address. This worked a treat!

Unfortunately in version 8 using with ASDM - if you permit access to an inside address from the outside ? even if a valid (inside,outside) NAT rule is in place ? you get this this in the config:

access-list outside_access_in extended permit ip any host 192.168.1.1

It seems something major has changed! I have also noticed version 6x created "reference" groups if you allowed access to an inside network "object-group":

For example ? your permit access to an inside group:

object-group network INSIDE-SERVERS

network-object 192.168.1.1

network-object 192.168.1.2

network-object 192.168.1.3

And PDM automatically creates a "reference" (_ref) group that uses the valid outside NAT addresses:

object-group network INSIDE-SERVERS_ref

network-object 206.45.18.189

network-object 206.45.18.190

network-object 206.45.18.191

The group ending in "_ref" is the one used in inbound access-lists.

Version 6 really did work its magic ? has this useful "feature" disappeared in version 8x?

Many thanks for your time,

Paul

Labels:
0 Helpful
2 Replies 2

noran01
Level 3
Level 3

‎10-17-2007 06:02 AM

Something isn't right here. The statement:

static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255

is backwards. It should be:

static (inside,outside) 192.168.1.1 206.45.18.189 netmask 255.255.255.255

with an accompanying ACL:

access-list outside_access_in extended permit ip any host 192.168.1.1

I would have to say there is some mis-configuration that is creating these rules backwards.

The _ref thing is a PDM issue in itself.

0 Helpful

acomiskey
Level 10
Level 10
In response to noran01

‎10-17-2007 06:25 AM

noran01, are you sure about that? What you said it should be is not correct. I should be...

static (inside,outside) 206.45.18.189 192.168.1.1 netmask 255.255.255.255

access-list outside_access_in extended permit ip any host 206.45.18.189

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card