PIX/ACL Help

Unanswered Question
Apr 12th, 2010

I am trying to limit the amount of typing by creating groups and adding an acl dependent on those groups, however i cannot get it to work. Attached you will see (hopefully) what I am trying to accomplish. I need to allow a few remote hosts to contact a set of servers using Terminal Services. Using acl's per device seems to work, but assignig one acl using "object-groups" is not working. What am I missing? Any help is appreciated!

PIX 525 version 7.2

object-group service Term_Service tcp
description Microsoft Terminal Services
port-object eq 3389


object-group service web tcp
description HTTP and HTTPS
port-object eq https
port-object eq www


object-group network Remote_Infinite_Campus
network-object host xx.21.235.8
network-object host xx.21.235.8

object-group network Local_Infinite_Campus
network-object host xx4.184.x.x30
network-object host xx4.184.x.x31
network-object host xx4.184.x.x32
network-object host xx4.184.x.x33
network-onject host xx4.184.x.x34

Object-group network All_Infinite_Campus
group-object network Local_Infinite_Campus
group-object network Remote_Infinite_Campus


access-list outside_in extended permit tcp object-group All_Infinite_Campus object-group Term_Service object-group web

access-list outside_in line 100 extended permit tcp host xx.21.235.8 host xx4.184.x.x30 eq 3389
access-list outside_in line 101 extended permit tcp host xx.21.235.8 host xx4.184.x.x31 eq 3389
access-list outside_in line 102 extended permit tcp host xx.21.235.8 host xx4.184.x.x32 eq 3389
access-list outside_in line 103 extended permit tcp host xx.21.235.8 host xx4.184.x.x33 eq 3389
access-list outside_in line 104 extended permit tcp host xx.21.235.8 host xx4.184.x.x34 eq 3389
access-list outside_in line 105 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x30 eq 3389
access-list outside_in line 106 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x31 eq 3389
access-list outside_in line 107 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x32 eq 3389
access-list outside_in line 108 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x33 eq 3389
access-list outside_in line 109 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x34 eq 3389

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 04/12/2010 - 15:50

The ACL should be as follows:

access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web

Hope that helps.

jszapipes Tue, 04/13/2010 - 06:26

Thanks halijenn for you response,

This is how the acl looks now, but it still is not working. When I create the individual acl statements for each connection it works fine and when issuing the "show acccess-list" command the statements look the same as they do when apllied with object-group.

access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web

Thanks again!

Jennifer Halim Tue, 04/13/2010 - 06:30

What do you mean by it's not working?

For inbound connection, you also need a static translation statement. Do you have that?

jszapipes Tue, 04/13/2010 - 06:45

I do have the static statements required:

static (inside,outside) xx4.184.x.x30 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x31 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x32 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x33 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x34 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x35 netmask 255.255.255.255

When the statements look like this the connections are made:

access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x30 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x31 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x32 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x33 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x34 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x30 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x31 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x32 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x33 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x34 eq 3389

Like this, 0 hit count, no connections made:

access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service

access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web

Jennifer Halim Wed, 04/14/2010 - 03:47

Have you applied your access-list on the outside interface as follows?

access-group outside_in in interface outside

jszapipes Wed, 04/14/2010 - 06:52

Yes, "access-group outside_in in interface outside" is in place. I'm stuck!

Jennifer Halim Wed, 04/14/2010 - 21:41

Are you sure that the traffic is coming into the ASA? I would try clearing the arp on the router in front of the ASA and/or reloading it. You might want to make sure that the router is forwarding the traffic to the ASA.

Then try to connect and see if you see hit count.

Actions

This Discussion