Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL on Pix7

hi everybody,

does anyone see what's wrong with the acl? although udp 500 is allowed, the pix blocks the traffic.

net1 - pix1 - router - pix2 - net2

%PIX-7-710005: UDP request discarded from 10.4.1.1/1024 to outside:10.2.1.1/500

%PIX-7-710005: UDP request discarded from 10.4.1.1/1024 to outside:10.2.1.1/500

%PIX-7-710005: UDP request discarded from 10.4.1.1/1024 to outside:10.2.1.1/500

Pix-1(config)# sal

access-list BLOCK_OUTSIDE; 7 elements

access-list BLOCK_OUTSIDE line 1 extended permit udp host 10.4.1.1 host 10.2.1.1 eq isakmp log debugging

access-list BLOCK_OUTSIDE line 2 extended permit esp host 10.4.1.1 host 10.2.1.1 log debugging

access-list BLOCK_OUTSIDE line 3 extended permit ah host 10.4.1.1 host 10.2.1.1 log debugging

access-list BLOCK_OUTSIDE line 4 extended permit ah host pix2 host 10.2.1.1 log debugging

access-list BLOCK_OUTSIDE line 5 extended permit esp host pix2 host 10.2.1.1 log debugging

access-list BLOCK_OUTSIDE line 6 extended permit udp host pix2 host 10.2.1.1 eq isakmp log debugging

access-list BLOCK_OUTSIDE line 7 extended deny ip any any log debugging

access-list BLOCK_INSIDE; 2 elements

access-list BLOCK_INSIDE line 1 extended permit tcp host A host B eq telnet log debugging

access-list BLOCK_INSIDE line 2 extended deny ip any any log debugging

Pix-1(config)# siib

Interface IP-Address OK? Method Status Protocol

Ethernet0 10.1.1.2 YES CONFIG up up

Ethernet1 10.2.1.1 YES CONFIG up up

Pix-1(config)# sn

Interface Name Security

Ethernet0 inside 100

Ethernet1 outside 0

Pix-1(config)# sag

access-group BLOCK_INSIDE in interface inside

access-group BLOCK_OUTSIDE in interface outside

any ideas?

tia

tom

3 REPLIES
Gold

Re: ACL on Pix7

what device does the address 10.2.1.1 belong to?

is that the inside interface of the pix?

if so, you need to terminate the vpn on the outside interface, and in which case you don't need your acl entries allowing udp/esp/ah to 10.2.1.1 (which should actually be 10.1.1.2 i believe).

New Member

Re: ACL on Pix7

Pix-1(config)# siib

Interface IP-Address OK? Method Status Protocol

Ethernet0 10.1.1.2 YES CONFIG up up

Ethernet1 10.2.1.1 YES CONFIG up up

Pix-1(config)# sn

Interface Name Security

Ethernet0 inside 100

Ethernet1 outside 0

Pix-1(config)# sag

access-group BLOCK_INSIDE in interface inside

access-group BLOCK_OUTSIDE in interface outside

it's the outside interface of pix1.

i sure need the acl entries allowing that traffic, cause i 've got a "blocking all ip traffic inside" entry on the inside an the outside interface. i don't want any traffic to be allowed except i allow it explicit. the default is to allow trafic from higher security-level to lower security-level. but i prefer the "checkpoint-default": everything is blocked unless you allow it by a rule.

i hope it's a little bit clearer now.

New Member

Re: ACL on Pix7

If you are terminating a VPN on the outside of the PIX, you'll need to enable ISAKMP on the outside interface as follows:

crypto isakmp enable outside

This will allow UDP/500 to the outside without it having to be specified in the ACL.

170
Views
0
Helpful
3
Replies