Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Pix 501 Help

I have a public IP address P.P.P.P that I do not want anyone from the outside to access except 3 remote users with Static IPs on port 22 open outbound from P.P.P.P to the 3 static IPs.

I have created a Object-group network called Tac with the 3 IPs

object-group network Tac

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

I am can anyone help me with the next steps?

Thank you

Gabrielle

16 REPLIES
Green

Re: Pix 501 Help

Gabrielle,

Could you rephrase what you are looking to do? I think you want to allow the 3 addresses to your public ip on port 22? I'm confused becuase you said "outbound from". Thanks.

New Member

Re: Pix 501 Help

Sorry I didn't mean outbound. I only want the 3 addresses to have access from the outside. Thanks

Re: Pix 501 Help

access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22

access-group outside_access_in in interface outside

This will create an ACL to allow the 3 addresses in your object-group to access the firewall via SSH.

HTH and please rate.

Green

Re: Pix 501 Help

Are you sure about that Collin? The acl does not restrict traffic terminating on the outside interface, only traffic traversing interfaces. If she wanted to restrict ssh to the outside of the firewall she would have to do "ssh x.x.x.x. outside". I'm assuming she has a static for the outside interface to some ssh server inside.

New Member

Re: Pix 501 Help

Let me start over - I have a public IP Address P.P.P.P on a device that I need 3 people around the world to access on port 22.

I have created a Object-group network called Tac with the 3 IPs

object-group network Tac

network-object host X.X.X.X - the public IP of other networks

network-object host X.X.X.X

network-object host X.X.X.X

I am can anyone help me with the next steps?

Thanks

Gabrielle

Green

Re: Pix 501 Help

What Collin wrote above is what you need...

access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22

access-group outside_access_in in interface outside

Also you need a static translation for P.P.P.P to the inside address of your server. If P.P.P.P = 1.1.1.1 and the inside address of the server is 192.168.1.1 then...

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

New Member

Re: Pix 501 Help

We want to deny all traffic EXCEPT port 22 (ssh) to that Public IP Address. Sorry they keep changing things on me.

Thanks

Gabrielle

Re: Pix 501 Help

The commands above will only allow port 22!

New Member

Re: Pix 501 Help

I added the access-lists

access-list outside_in permit tcp object-group MeTac host Tac-Outside eq htt

ps

access-list outside_in permit tcp object-group Tac host Tac-Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Tac-Outside eq ssh

static (inside,outside) Tac-Outside Tac-Inside netmask 255.255.255.255 0 0

I can still access the P.P.P.P over the internet - Did I need to add a DENY in there?

Green

Re: Pix 501 Help

So Tac-Outside = P.P.P.P?

With those acl entries you should only be able to hit Tac-Outside with https, telnet and ssh, that's it.

Also, you access-group command should be

access-group outside_in in interface outside

New Member

Re: Pix 501 Help

name 10.0.0.X Inside

name P.P.P.P Outside ** Public IP Address

object-group network Tac

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

access-list outside_in permit tcp object-group Meta_Tac host Meta-Outside eq www

access-list outside_in permit tcp object-group MetTac host Outside eq htt

ps

access-list outside_in permit tcp object-group Tac host Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Outside eq ssh

static (inside,outside) Outside Inside netmask 255.255.255.255 0 0

** The Problem I am having is that everyone can still access the "DEVICE" with any IP and not those that were specified in the above Object-Group.

Re: Pix 501 Help

OK,

Lets forget the object-group and get this into its simplest form.

1st we'll create the static translation. This will translate your outside address to your inside address. The 1.1.1.1 is our outside address.

static (inside,outside) tcp 1.1.1.1 22 192.168.1.10 22 netmask 255.255.255.255

Next lets create the access-list that only allows the 3 addresses you want to allow. For the example I'll want to allow 2.2.2.2, 3.3.3.3, and 4.4.4.4. There is an implicit deny at the end so we do not have to enter one.

access-list OUTSIDE_ACCESS_IN permit tcp host 2.2.2.2 host 1.1.1.1 eq 22

access-list OUTSIDE_ACCESS_IN permit tcp host 3.3.3.3 host 1.1.1.1 eq 22

access-list OUTSIDE_ACCESS_IN permit tcp host 4.4.4.4 host 1.1.1.1 eq 22

Finally we need to apply the ACL to an interface and in a direction.

access-group OUTSIDE_ACCESS_IN in interface outside.

That should do it.

New Member

Re: Pix 501 Help

Ok, I entered exactly what you have but I can still access The device with HTTP. My thought is that the public IP address is actually on the device. Which it needs to be. Any Thoughts?

Re: Pix 501 Help

OK. I bet you're using SDM and that application is tied to the outside interface. You need to apply an ACL to HTTP to prevent everyone accessing it. It's used for management so it's handled a little differently.

Try this to restrict HTTP/SDM.

http 10.10.10.115 255.255.255.255 inside

This example will only allow 10.10.10.115 to access SDM from the inside! Make sure you put your IP in first.

New Member

Re: Pix 501 Help

Not using SDM.

Re: Pix 501 Help

What web page are you seeing?

223
Views
0
Helpful
16
Replies
CreatePlease to create content