cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
852
Views
0
Helpful
16
Replies

Pix 501 Help

cozyk1515
Level 1
Level 1

I have a public IP address P.P.P.P that I do not want anyone from the outside to access except 3 remote users with Static IPs on port 22 open outbound from P.P.P.P to the 3 static IPs.

I have created a Object-group network called Tac with the 3 IPs

object-group network Tac

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

I am can anyone help me with the next steps?

Thank you

Gabrielle

16 Replies 16

acomiskey
Level 10
Level 10

Gabrielle,

Could you rephrase what you are looking to do? I think you want to allow the 3 addresses to your public ip on port 22? I'm confused becuase you said "outbound from". Thanks.

Sorry I didn't mean outbound. I only want the 3 addresses to have access from the outside. Thanks

Collin Clark
VIP Alumni
VIP Alumni

access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22

access-group outside_access_in in interface outside

This will create an ACL to allow the 3 addresses in your object-group to access the firewall via SSH.

HTH and please rate.

Are you sure about that Collin? The acl does not restrict traffic terminating on the outside interface, only traffic traversing interfaces. If she wanted to restrict ssh to the outside of the firewall she would have to do "ssh x.x.x.x. outside". I'm assuming she has a static for the outside interface to some ssh server inside.

Let me start over - I have a public IP Address P.P.P.P on a device that I need 3 people around the world to access on port 22.

I have created a Object-group network called Tac with the 3 IPs

object-group network Tac

network-object host X.X.X.X - the public IP of other networks

network-object host X.X.X.X

network-object host X.X.X.X

I am can anyone help me with the next steps?

Thanks

Gabrielle

What Collin wrote above is what you need...

access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22

access-group outside_access_in in interface outside

Also you need a static translation for P.P.P.P to the inside address of your server. If P.P.P.P = 1.1.1.1 and the inside address of the server is 192.168.1.1 then...

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

We want to deny all traffic EXCEPT port 22 (ssh) to that Public IP Address. Sorry they keep changing things on me.

Thanks

Gabrielle

The commands above will only allow port 22!

cozyk1515
Level 1
Level 1

I added the access-lists

access-list outside_in permit tcp object-group MeTac host Tac-Outside eq htt

ps

access-list outside_in permit tcp object-group Tac host Tac-Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Tac-Outside eq ssh

static (inside,outside) Tac-Outside Tac-Inside netmask 255.255.255.255 0 0

I can still access the P.P.P.P over the internet - Did I need to add a DENY in there?

So Tac-Outside = P.P.P.P?

With those acl entries you should only be able to hit Tac-Outside with https, telnet and ssh, that's it.

Also, you access-group command should be

access-group outside_in in interface outside

name 10.0.0.X Inside

name P.P.P.P Outside ** Public IP Address

object-group network Tac

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

access-list outside_in permit tcp object-group Meta_Tac host Meta-Outside eq www

access-list outside_in permit tcp object-group MetTac host Outside eq htt

ps

access-list outside_in permit tcp object-group Tac host Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Outside eq ssh

static (inside,outside) Outside Inside netmask 255.255.255.255 0 0

** The Problem I am having is that everyone can still access the "DEVICE" with any IP and not those that were specified in the above Object-Group.

OK,

Lets forget the object-group and get this into its simplest form.

1st we'll create the static translation. This will translate your outside address to your inside address. The 1.1.1.1 is our outside address.

static (inside,outside) tcp 1.1.1.1 22 192.168.1.10 22 netmask 255.255.255.255

Next lets create the access-list that only allows the 3 addresses you want to allow. For the example I'll want to allow 2.2.2.2, 3.3.3.3, and 4.4.4.4. There is an implicit deny at the end so we do not have to enter one.

access-list OUTSIDE_ACCESS_IN permit tcp host 2.2.2.2 host 1.1.1.1 eq 22

access-list OUTSIDE_ACCESS_IN permit tcp host 3.3.3.3 host 1.1.1.1 eq 22

access-list OUTSIDE_ACCESS_IN permit tcp host 4.4.4.4 host 1.1.1.1 eq 22

Finally we need to apply the ACL to an interface and in a direction.

access-group OUTSIDE_ACCESS_IN in interface outside.

That should do it.

Ok, I entered exactly what you have but I can still access The device with HTTP. My thought is that the public IP address is actually on the device. Which it needs to be. Any Thoughts?

OK. I bet you're using SDM and that application is tied to the outside interface. You need to apply an ACL to HTTP to prevent everyone accessing it. It's used for management so it's handled a little differently.

Try this to restrict HTTP/SDM.

http 10.10.10.115 255.255.255.255 inside

This example will only allow 10.10.10.115 to access SDM from the inside! Make sure you put your IP in first.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: