Problems with ACLs on PIX 515e

bbimbitzegaio · ‎02-22-2008

Greetings all:

We are having an issue allowing traffic to pass through our PIX 515e running 7.2(2). It seems like no matter what the ACL states, the traffic is always dropped by the implicit deny. I have even gone as far to temporarily permit ALL IP traffic, and it still drops the packets with the implict deny.

Firstly, we tried duplicating the rules we used on the 501 we had before, but it still didn't allow traffic through. I've tried using both the internal and external IPs of the device for the destination IP with no luck. I've tried scrapping the web browser entirely and just attempting to connect with telnet to the device with no success.

Here are the relevant parts of the config:

object-group service webserver tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit tcp any host 192.168.1.230 object-group webserver

access-group outside_access_in interface outside

static (inside,outside) tcp interface www 192.168.1.230 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.230 https netmask 255.255.255.255

Please let me know what I can do to get this config working again...it worked fine with the 501 but our office is getting too big for us to use that device any more. I'll be glad to provide more information if needed.

husycisco · ‎02-22-2008

Hi Mathew

192.168.1.230 is not at outside interface, so you can not include it in this ACL. Your interface IP is the translated IP at outside which takes place in your static commands. So

no access-list outside_access_in extended permit tcp any host 192.168.1.230 object-group webserver

access-list outside_access_in extended permit tcp any interface outside object-group webserver

Regards

bbimbitzegaio · ‎02-22-2008

I have modified the ACL with your suggested changes, and connections still time out to the device behind the firewall. Also, our ASDM console is no longer accessible on the outside interface. I think that may be caused by permitting port 443 to another device, but I am not sure.

Thanks for the suggestion!

husycisco · ‎02-22-2008

"I think that may be caused by permitting port 443 to another device, but I am not sure"

Thats correct. Change the port for ssl to another number (449 for example) by following line

http enable outside 449

And in IP line of ASDM connection window, type the IP then :449 like x.x.x.x:449

"I have modified the ACL with your suggested changes, and connections still time out to the device behind the firewall"

Make sure no software firewall is running in that server (Like windows firewall)

Make sure hosts at outside are using the IP address of outside interface of firewall for connecting to that server, instead using 192.168.1.230

bbimbitzegaio · ‎02-27-2008

I have checked that no firewalls are running on that device, and also tested using the interface IP of the PIX outside interface, and still no joy.

I just can't figure out why this isn't working - it should pass through now with no problem, but the Packet Tracer in the ASDM still shows it matching the rules and passing through, then being dropped by the implicit deny. Why would it be checked twice - if it already passed the traffic that should be it.

Thanks for your help!