PIX 501 Access List issue, AM I missing something ?!

Answered Question
Nov 1st, 2009
User Badges:

I have PIX 501 connected with One workstation in INSIDE network and to the internet.

With no Access list everything works good.

I want to allow only Web Access for the inside network.


The command I specified:

access-list ACL_OUT permit tcp any any eq www

access-list ACL_OUT deny ip any any

access-group ACL_OUT in interface inside


That brings the internet down


show access-list shows:




access-list ACL_OUT line 1 permit tcp any any eq www (hitcnt=0) ---> ???????

access-list ACL_OUT line 2 deny ip any any (hitcnt=4) ----> ??????


if I do PERMIT ANY ANY I have matches and all works, I tried 80, 445, 53 entry and then deny but it makes no difference.

How DO I block all traffic except WEB ?


My config :



PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password lw.hq88l2bR1x9Fp encrypted

passwd lw.hq88l2bR1x9Fp encrypted

hostname PIX501

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ACL_OUT permit tcp any any eq www

access-list ACL_OUT deny ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.30.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.30.10.0 255.255.255.0 0 0

access-group ACL_OUT in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.30.10.2-172.30.10.5 inside

dhcpd dns 89.101.160.4

dhcpd lease 2400

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:d0454d33e695a13208fae0cef9e7e564

: end

PIX501(config)#

Correct Answer by bmcginn about 7 years 7 months ago

Hi there,


You will probably need to allow DNS though :)


try this:

access-list ACL_OUT permit udp any any eq 53

access-list ACL_OUT permit tcp any any eq www

access-list ACL_OUT deny ip any any log


Note how 'log' is also on the end of the deny ip any any statement. This, in conjunction with a logging buffered warnings statement logs any drops due to the deny ip any any statement to the log. (viewed with 'show log').


Hope that helps, and if so, do you mind rating the answer please?


thanks,


Brad


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
bmcginn Sun, 11/01/2009 - 19:11
User Badges:
  • Bronze, 100 points or more

Hi there,


You will probably need to allow DNS though :)


try this:

access-list ACL_OUT permit udp any any eq 53

access-list ACL_OUT permit tcp any any eq www

access-list ACL_OUT deny ip any any log


Note how 'log' is also on the end of the deny ip any any statement. This, in conjunction with a logging buffered warnings statement logs any drops due to the deny ip any any statement to the log. (viewed with 'show log').


Hope that helps, and if so, do you mind rating the answer please?


thanks,


Brad


mariusz.pianka Mon, 11/02/2009 - 10:45
User Badges:

Thank you that worked.

I had to just add 443 for SSL and it works now.


What I wish to understand is the syntax.

I thought if I do

access-list ACL_OUT permit tcp host 172.30.10.1 any eq www


that means:

I want access list , name ACL_OUT that permits TCP traffic from host 172.30.10.1 to any destination through www.


this however doesn't work.

if I do your permit tcp any any eq www that works well..


How do I allow the internet only for ONE PC in that access list ?

bmcginn Mon, 11/02/2009 - 14:09
User Badges:
  • Bronze, 100 points or more

Hi again,


You've pretty much got it right I'd say except for one thing.


The host you are specifying is the IP address of the inside interface. Is the pix the host you want to access the internet with and not have any devices on the inside network allowed access?


If you specify an IP address of a specific host (that is not the pix interface IP) your ACL could look like the following?


access-list ACL_OUT permit udp any any eq 53

access-list ACL_OUT permit tcp host 172.30.10.x any eq www

access-list ACL_OUT deny ip any any log


Also, now that your 'deny ip any any' statement is logging to the buffer, you should be able to see if that ACL is dropping stuff, and details of that stuff in the log. 'show log' That should give you a good indication of what's happening.


Brad

MUXAHMUXAH2 Mon, 11/02/2009 - 00:35
User Badges:


Could you show the result of "sh route" on your PIX501?


Actions

This Discussion