11-01-2009 03:46 PM - edited 03-11-2019 09:35 AM
I have PIX 501 connected with One workstation in INSIDE network and to the internet.
With no Access list everything works good.
I want to allow only Web Access for the inside network.
The command I specified:
access-list ACL_OUT permit tcp any any eq www
access-list ACL_OUT deny ip any any
access-group ACL_OUT in interface inside
That brings the internet down
show access-list shows:
access-list ACL_OUT line 1 permit tcp any any eq www (hitcnt=0) ---> ???????
access-list ACL_OUT line 2 deny ip any any (hitcnt=4) ----> ??????
if I do PERMIT ANY ANY I have matches and all works, I tried 80, 445, 53 entry and then deny but it makes no difference.
How DO I block all traffic except WEB ?
My config :
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lw.hq88l2bR1x9Fp encrypted
passwd lw.hq88l2bR1x9Fp encrypted
hostname PIX501
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ACL_OUT permit tcp any any eq www
access-list ACL_OUT deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.30.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.30.10.0 255.255.255.0 0 0
access-group ACL_OUT in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.30.10.2-172.30.10.5 inside
dhcpd dns 89.101.160.4
dhcpd lease 2400
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:d0454d33e695a13208fae0cef9e7e564
: end
PIX501(config)#
Solved! Go to Solution.
11-01-2009 07:11 PM
Hi there,
You will probably need to allow DNS though :)
try this:
access-list ACL_OUT permit udp any any eq 53
access-list ACL_OUT permit tcp any any eq www
access-list ACL_OUT deny ip any any log
Note how 'log' is also on the end of the deny ip any any statement. This, in conjunction with a logging buffered warnings statement logs any drops due to the deny ip any any statement to the log. (viewed with 'show log').
Hope that helps, and if so, do you mind rating the answer please?
thanks,
Brad
11-01-2009 07:11 PM
Hi there,
You will probably need to allow DNS though :)
try this:
access-list ACL_OUT permit udp any any eq 53
access-list ACL_OUT permit tcp any any eq www
access-list ACL_OUT deny ip any any log
Note how 'log' is also on the end of the deny ip any any statement. This, in conjunction with a logging buffered warnings statement logs any drops due to the deny ip any any statement to the log. (viewed with 'show log').
Hope that helps, and if so, do you mind rating the answer please?
thanks,
Brad
11-02-2009 10:45 AM
Thank you that worked.
I had to just add 443 for SSL and it works now.
What I wish to understand is the syntax.
I thought if I do
access-list ACL_OUT permit tcp host 172.30.10.1 any eq www
that means:
I want access list , name ACL_OUT that permits TCP traffic from host 172.30.10.1 to any destination through www.
this however doesn't work.
if I do your permit tcp any any eq www that works well..
How do I allow the internet only for ONE PC in that access list ?
11-02-2009 02:09 PM
Hi again,
You've pretty much got it right I'd say except for one thing.
The host you are specifying is the IP address of the inside interface. Is the pix the host you want to access the internet with and not have any devices on the inside network allowed access?
If you specify an IP address of a specific host (that is not the pix interface IP) your ACL could look like the following?
access-list ACL_OUT permit udp any any eq 53
access-list ACL_OUT permit tcp host 172.30.10.x any eq www
access-list ACL_OUT deny ip any any log
Also, now that your 'deny ip any any' statement is logging to the buffer, you should be able to see if that ACL is dropping stuff, and details of that stuff in the log. 'show log' That should give you a good indication of what's happening.
Brad
11-02-2009 12:35 AM
Could you show the result of "sh route" on your PIX501?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: