Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
10
Helpful
3
Replies

515e ACL Security Question

johnnymac
Level 1
Level 1

‎07-01-2007 08:37 AM - edited ‎03-11-2019 03:38 AM

Hi,

An outside company have done some configuration on one of our Pix 515e's to enable traffic from two of our public IP's to pass to a Citrix access gateway and a mail server.

My question is really around the ACL they have applied to the outside interface. This is there config.

access-list outside_access_in extended permit ip any host 88.97.xx.xx

access-list outside_access_in extended permit ip any host 88.97.xx.xx

access-group outside_access_in in interface outside

static (inside,outside) tcp 88.97.xx.xx www 192.168.100.230 www netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx https 192.168.100.230 https netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx smtp 192.168.100.144 smtp netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx https 192.168.100.144 https netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx www 192.168.100.144 81 netmask 255.255.255.255

I am concerned that the outside_access_in ACL permits any to either address. i would personally normally permit the services specifically and deny anything else, Would the NAT statements prevent any unwanted traffic? or would such an open ACL on the outside int still leave us vunerable?

Also I cannot see the Alias command present which I used when configuring a citrix gateway on a 515e into a DMZ, is that only required when using a DMZ?

Kind Regards

J Mack

Labels:
0 Helpful
3 Replies 3

JBDanford2002
Level 1
Level 1

‎07-01-2007 12:12 PM

The Access Control Entries will allow all traffic but since there are only translations for specific ports the traffic not defined by a xlate entry will get dropped on a xlate lookup. Really the best thing is to be specific with your ACEs. Can be helpful with ACL counters, rule specific logging etc...

The alias command does DNAT and DNS doctoring. Neither is required for Citrix. You may have had to use it for a specific reason but There usually is a way around having to use it.

johnnymac
Level 1
Level 1
In response to JBDanford2002

‎07-02-2007 03:34 AM

Hi,

Thanks alot, So at the moment there is not a security risk? However best practice would be to be specific on the Outside ACL.

Thanks

J Mack.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to johnnymac

‎07-02-2007 03:43 AM

Hi

As Joe has said the NAT transaltions will only allow through those specific ports so no there is not a greater security risk but i agree wholehearteldy with Joe in that you really should do this will acl's and not translations. Simply because the nat translation are a more indirect way of controlling access than using acl's applied to the interface and it would be easier in my opinion to make a config error.

HTH

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card