Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

515e ACL Security Question

Hi,

An outside company have done some configuration on one of our Pix 515e's to enable traffic from two of our public IP's to pass to a Citrix access gateway and a mail server.

My question is really around the ACL they have applied to the outside interface. This is there config.

access-list outside_access_in extended permit ip any host 88.97.xx.xx

access-list outside_access_in extended permit ip any host 88.97.xx.xx

access-group outside_access_in in interface outside

static (inside,outside) tcp 88.97.xx.xx www 192.168.100.230 www netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx https 192.168.100.230 https netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx smtp 192.168.100.144 smtp netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx https 192.168.100.144 https netmask 255.255.255.255

static (inside,outside) tcp 88.97.xx.xx www 192.168.100.144 81 netmask 255.255.255.255

I am concerned that the outside_access_in ACL permits any to either address. i would personally normally permit the services specifically and deny anything else, Would the NAT statements prevent any unwanted traffic? or would such an open ACL on the outside int still leave us vunerable?

Also I cannot see the Alias command present which I used when configuring a citrix gateway on a 515e into a DMZ, is that only required when using a DMZ?

Kind Regards

J Mack

3 REPLIES
New Member

Re: 515e ACL Security Question

The Access Control Entries will allow all traffic but since there are only translations for specific ports the traffic not defined by a xlate entry will get dropped on a xlate lookup. Really the best thing is to be specific with your ACEs. Can be helpful with ACL counters, rule specific logging etc...

The alias command does DNAT and DNS doctoring. Neither is required for Citrix. You may have had to use it for a specific reason but There usually is a way around having to use it.

New Member

Re: 515e ACL Security Question

Hi,

Thanks alot, So at the moment there is not a security risk? However best practice would be to be specific on the Outside ACL.

Thanks

J Mack.

Hall of Fame Super Blue

Re: 515e ACL Security Question

Hi

As Joe has said the NAT transaltions will only allow through those specific ports so no there is not a greater security risk but i agree wholehearteldy with Joe in that you really should do this will acl's and not translations. Simply because the nat translation are a more indirect way of controlling access than using acl's applied to the interface and it would be easier in my opinion to make a config error.

HTH

Jon

168
Views
10
Helpful
3
Replies
CreatePlease to create content