Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
0
Helpful
10
Replies

pix ver 6.3 Access list

scootertgm
Level 1
Level 1

‎10-25-2007 09:27 AM - edited ‎03-11-2019 04:30 AM

Thank you for taking the time to read this post. I'll admit up front I'm just starting working on the PIX.

I need to restrict a range of IP's to only go to one address on our network.

I created a new address pool and a new vpngroup which pulls the IP address from the new pool. (10.6.228.160 /28)

Below is the first two lines for the ACL that is applied to inbound traffic on the inside interface.

access-list inbound permit ip host 10.6.128.220 10.6.228.160 255.255.255.240

access-list inbound deny ip any 10.6.228.160 255.255.255.240

Shouldn't line 2 stop traffic from any other source destined for 10.6.228.160 /28? Or do I have something backwards? I ask as I can still access other network resources when I log in using the new group.

Labels:
0 Helpful
10 Replies 10

fedefalchi
Level 1
Level 1

‎10-25-2007 10:45 AM

Hi,

let's see if I understood...

Everything works, right?

Your doubt is how you can access others IP address or other services that were not to be accessed by the address pool?

Note that the access to the pool is very permissive (permit ip).

0 Helpful

scootertgm
Level 1
Level 1
In response to fedefalchi

‎10-25-2007 11:21 AM

The exsisting VPN groups work fine. The new group allows me to log in, but gives me too much access to the network. I can access other IP addresses on the network rather than just the one.

Once I get the ACL working which limits to the one IP address, I get more restrictive with the ports.

0 Helpful

fedefalchi
Level 1
Level 1
In response to scootertgm

‎10-25-2007 11:45 AM

I don't understand anything else.

Your LAN is 10.6.128.220 or 10.6.228.160/28?

Execute the command show "access-list" and look for "hit-counts" you will see which access-list are getting access.

0 Helpful

scootertgm
Level 1
Level 1
In response to fedefalchi

‎10-25-2007 11:50 AM

The address on the LAN that the external user needs to access is 10.6.128.220. The 10.6.228.160/28 is the range of addresses given the to external users when they connect to the PIX VPN.

0 Helpful

fedefalchi
Level 1
Level 1
In response to scootertgm

‎10-25-2007 01:00 PM

Hi scootertgm,

I don't know how your configuration it's work but the access-list is wrong.

You need this:

access-list inbound permit tcp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq (service_you_need)

access-list inbound deny ip any 10.6.228.160 255.255.255.240

Because, you have the VPN tunel and the 10.6.228.160/28 addresses need access the 10.6.128.220 addresses. Verify all services they need acccess and create a object-group to be more easy.

If you must allow the addresses of the VPN to access more resources on your network don't forget the minimum privileges and use "permit ip" only for their last option.

0 Helpful

scootertgm
Level 1
Level 1
In response to fedefalchi

‎10-25-2007 01:23 PM

I changed the access list line 1-4 to reflect the following:

access-list inbound permit tcp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq www

access-list inbound permit udp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq www

access-list inbound permit udp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq 44818

access-list inbound deny ip any 10.6.228.160 255.255.255.240

Below shows my vpn adapter is getting the correct ip address:

Connection-specific DNS Suffix . : xxxxxx

IP Address. . . . . . . . . . . . : 10.6.228.161

Subnet Mask . . . . . . . . . . . : 255.255.255.240

Default Gateway . . . . . . . . . : 10.6.228.161

C:\>

I still am able to access resources on the network other than just the specified address.

0 Helpful

jaravinthan
Level 1
Level 1
In response to scootertgm

‎10-25-2007 11:24 PM

Hi,

where is this ACL applied? i eman in which interface on what direction is this applied.

Practice is to apply the ACL blocking at the source. meaning apply te ACL in the interface in which the users will come in.

0 Helpful

pjhenriqs
Level 1
Level 1

‎10-26-2007 12:27 AM

I think you just have your access-list applied to the wrong place.

The VPN group pool (10.6.228.160/28) is coming from the outside interface so you should apply the access-list on that interface (inbound). If you want to limit what an user on your network can access on the remote VPN user then you would use your example (I'm not sure what it is that you want).

Also verify that if you are not bypassing the access-lists, which is the default configuration when you do a remote/site-to-site VPN.

Let me know if this helps.

Regards,

Paulo

0 Helpful

scootertgm
Level 1
Level 1
In response to pjhenriqs

‎10-26-2007 06:11 AM

The access list is applied to the inside interface on the inbound direction.

It's not a site-to-site vpn but rather a client based VPN.

If I am understanding, I should create a second ACL and apply it to the outside interface to restrict where the user can go?

0 Helpful

scootertgm
Level 1
Level 1
In response to scootertgm

‎10-31-2007 10:07 AM

I tried appling the ACL on the outside interface inbound, however it still did not block the traffic.

At this point I am having to restrict the traffic at the layer three switch on the next hop.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card