04-23-2009 09:26 AM - edited 03-11-2019 08:22 AM
Hi,
How is it possible to create an access-list on the ASA or PIX using the TCP flags such as syn, ack, etc. I tried to create here but it did not work nor appears options.
Regards
04-23-2009 09:35 AM
Ricardo
What exactly are you trying to achieve. A stateful firewall such as the pix/asa already checks these flags as traffic goes through the device. Is there something specific you need ?
Jon
04-23-2009 10:51 AM
hi, John
I would create an access-list where I could block the traffic in a way that is, an example would be two networks 192.168.0.0/24 and 172.16.0.0/16, only allow ssh connections starting from the network 192.168.0.0/24 and would return only for the already established connections and block all the rest. It would be like following the rules.
access-list 102 permit tcp 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22 syn
access-list 102 permit tcp 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 22 established
access-list 102 deny tcp 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
Regards
04-23-2009 10:57 AM
Ricardo
That is exactly what a pix/asa will do for you automatically.
So for you setup you need to put the 192.168.0.0/24 on a higher security interface than the 172.16.0.0/16 network.
If you do this then connections can be initiated from the 192.168.0.0/24 network to the 172.16.0.0/16 network and the return traffic will be automatically allowed. However traffic will not be allowed to be initiated from the 172.16.0.0/16 network to the 192.168.0.0/24 network unless you explicitly allow it with an access-list.
Jon
04-23-2009 01:35 PM
Hi,
this then that. The network is 192.168.0.0/24 with security level 100 is the 172.16.0.0/16 network security level 90, is still not working. I created the following acl's:
access-list net-lab_access_in extended permit ip 192.16.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list net-lab_access_in extended permit ip 192.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0
And there is the implicit deny, which blocks the back, if that would also make the network 172.16.0.0/16. These access-list's are applied to interface with IP address 172.16.0.0/16
regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: