Pix 506E access rules modification

Unanswered Question
Jul 7th, 2008
User Badges:

Hi,

I'm not much up on Pix firewalls, so I am hoping someone here can answer this question: How would I modify the config below to allow ONLY The following IP's to access 10.2.2.8

192.168.102.85


192.168.111.60


192.168.111.62


192.168.111.50


Running Config:(all I have to go on right now, attached)




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Mon, 07/07/2008 - 15:30
User Badges:
  • Gold, 750 points or more

Hi James

access-list outside_access_in permit ip host 192.168.111.60 host s-gc-docimg

access-list outside_access_in permit ip host 192.168.102.85 host s-gc-docimg

access-list outside_access_in permit ip host 192.168.111.62 host s-gc-docimg

access-list outside_access_in permit ip host 192.168.111.50 host s-gc-docimg

access-group outside_access_in in interface outside


Regards

husycisco Mon, 07/07/2008 - 15:34
User Badges:
  • Gold, 750 points or more

Btw, the following command makes all other nat statements useless



access-list 100 permit ip any any

nat (inside) 0 access-list 100

jamesbruce Mon, 07/07/2008 - 15:41
User Badges:

Thanks for your response. So if i understand you correctly, remove the nat statements you mentioned, create and apply tghe access-list statements you mentioned and it should work, am I correct?

husycisco Tue, 07/08/2008 - 13:28
User Badges:
  • Gold, 750 points or more

Removing the nat satatement would affect some traffic if this firewall is used like a router that doesnt have nat enabled by default. That statement might have been issued on purpose to not to spend time on detailed traffic definitions with statics.

If you decide to remove that NAT statement, make sure you enter the following


static (inside,outside) s-gc-docimg s-gc-docimg netmask 255.255.255.255


Regards

jamesbruce Tue, 07/08/2008 - 18:28
User Badges:

Thanks for the reply:

Question, I did as you suggested and also added the nat statement you recommended after removing the others and no connection by those ip addreses was able to be made. i also tried it without your recommended nat stement and putting the exisiting ones back in with no luck. Since their is a site to site vpn involved, wouldn't similiar changes need to be made on the other side? (They do not have access to the other side device)

husycisco Wed, 07/09/2008 - 04:30
User Badges:
  • Gold, 750 points or more

"Since their is a site to site vpn involved"

Ah... Now all makes sense.

First of all, your interesting traffic ACL 120 should not contain any any statement unless you want all your connection (including your internet) to go over the tunnel.

Assuming that remote site's local network is 192.168.111.0/24, here is the necessary config.


access-list inside_nat0_outbound permit ip 10.4.28.0 255.255.255.0 192.168.111.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list 120 permit ip 10.4.28.0 255.255.255.0 192.168.111.0 255.255.255.0

no access-list 120 permit ip any any

no static (inside,outside) s-gc-docimg s-gc-docimg netmask 255.255.255.255

no access-list 100 permit ip any any

no access-list AgendaManager permit ip any any

no access-list AgendaManager permit icmp any any

no access-list AgendaManager permit tcp any any

no access-list outside_access_in permit ip host 192.168.111.60 host s-gc-docimg

no access-list outside_access_in permit ip host 192.168.102.85 host s-gc-docimg

no access-list outside_access_in permit ip host 192.168.111.62 host s-gc-docimg

no access-list outside_access_in permit ip host 192.168.111.50 host s-gc-docimg

no access-group outside_access_in in interface outside

fixup protocol icmp

clear xlate


Please post the latest config after above modifications.

Actions

This Discussion