Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
5
Replies

object-group command with access-list not working properly

josephsilvin
Level 1
Level 1

‎03-14-2003 04:02 AM - edited ‎02-20-2020 09:20 PM

I am using Cisco PIX version 6.2(2).

object-group network norm_nat_hosts

  network-object 192.168.11.1 255.255.255.255

  network-object 192.168.11.2 255.255.255.255

  network-object 192.168.11.3 255.255.255.255

  network-object 192.168.11.4 255.255.255.255

object-group service norm_allow_ports tcp

  port-object eq www

  port-object eq domain

  port-object eq https

  port-object eq ftp-data

  port-object eq ftp

  port-object eq 8100

  port-object eq 8080

access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports

But, I find that each of those host in norm_nat_hosts are allowed to open all ports from their machines instead of those specified in norm_allow_ports.

But, if I put each host seperately (as shown below), then only those allowed ports are opened.

access-list acl4inside permit tcp host 192.168.11.1 eq www any

access-list acl4inside permit tcp host 192.168.11.1 eq 53 any

access-list acl4inside permit tcp host 192.168.11.1 eq 443 any

access-list acl4inside permit tcp host 192.168.11.1 eq 20 any

.........

.......etc

This will go to 28 lines. While the new syntax is supposed to do the same in lesser number of lines.

What have I done wrong ?

Labels:
0 Helpful
5 Replies 5

mostiguy
Level 6
Level 6

‎03-14-2003 07:54 AM

You aren't comparing apples to apples. You acl statement that use object groups has any in a different place - it sez from these hosts, on any ports, make connections to any machines on object-group norm_allow_ports.

I think that:

access-list acl4inside permit tcp object-group norm_nat_hosts object-group norm_allow_port any

will do what you are seeking - allow norm_nat_hosts make connections to anyone from only norm_allow_ports

0 Helpful

josephsilvin
Level 1
Level 1
In response to mostiguy

‎03-15-2003 03:13 AM

My objective is to convert from old outbound to new access-list and then deploy the object-group to simplify the configuration. The details are as follows:

Old configuration:

global (outside) 1 62.12.4.19

nat (inside) 1 192.168.11.11 255.255.255.255 0 0

outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp

outbound 10 permit 192.168.11.11 255.255.255.255 80 tcp

apply (inside) 10 outgoing_src

New sysntax:

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

global (outside) 1 62.12.4.19

nat (inside) 1 192.168.11.11 255.255.255.255 0 0

access-list 101 permit tcp host 192.168.11.11 any eq 80

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 62.12.4.1 1

In the first case only port 80 is allowed out. All others are blocked. In the new sysntax, all ports are allowed out from

192.168.11.11/24 on the inside interface.

What is wrong in this configuration? I am using PIX 6.2(2)

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to josephsilvin

‎03-16-2003 06:58 PM

This config should be blocking any traffic that is intiated from this internal host unless it has a destination port og 80 (http). What are you seeing that shows all ports are allowed out? Can you show us the syslog in the PIX that shows a connection being built outbound from this host for a port other than 80 please?

0 Helpful

josephsilvin
Level 1
Level 1
In response to gfullage

‎03-16-2003 09:12 PM

I have done the following:

access-list 101 permit tcp host 192.168.11.11 any eq 80

access-list 101 deny ip any any

access-group 101 in interface inside

After some testing (for ports www, smtp, ssh etc.), the show access-list command gives the following output:-

access-list 101 permit tcp host 192.168.11.11 any eq www (hitcnt=0)

access-list 101 deny ip any any (hitcnt=46)

This would be interpreted as follows (I guess) - all ports are going to the deny statement rather than allowing port 80 traffic.

This happens when the access-list is applied to the inside interface. If not applied, then all ports are allowed as traffic from the more secure interface is allowed by default to go to the less secure interface. If applied, nothing is allowed to go out....why ?

What next ?

0 Helpful

josephsilvin
Level 1
Level 1
In response to mostiguy

‎03-17-2003 12:37 AM

The objective (say) is to browse - i.e one will try to send packets to the destination ip's port 80 from source ip's higher ports.

Since, the syntax is :

access-list permit tcp

So, it will be in this case

access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports

where

object-group norm_nat_hosts = source ip

any = destination ip

group norm_allow_ports = destination port

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents