Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

pix ver 6.3 Access list

Thank you for taking the time to read this post. I'll admit up front I'm just starting working on the PIX.

I need to restrict a range of IP's to only go to one address on our network.

I created a new address pool and a new vpngroup which pulls the IP address from the new pool. (10.6.228.160 /28)

Below is the first two lines for the ACL that is applied to inbound traffic on the inside interface.

access-list inbound permit ip host 10.6.128.220 10.6.228.160 255.255.255.240

access-list inbound deny ip any 10.6.228.160 255.255.255.240

Shouldn't line 2 stop traffic from any other source destined for 10.6.228.160 /28? Or do I have something backwards? I ask as I can still access other network resources when I log in using the new group.

10 REPLIES
New Member

Re: pix ver 6.3 Access list

Hi,

let's see if I understood...

Everything works, right?

Your doubt is how you can access others IP address or other services that were not to be accessed by the address pool?

Note that the access to the pool is very permissive (permit ip).

New Member

Re: pix ver 6.3 Access list

The exsisting VPN groups work fine. The new group allows me to log in, but gives me too much access to the network. I can access other IP addresses on the network rather than just the one.

Once I get the ACL working which limits to the one IP address, I get more restrictive with the ports.

New Member

Re: pix ver 6.3 Access list

I don't understand anything else.

Your LAN is 10.6.128.220 or 10.6.228.160/28?

Execute the command show "access-list" and look for "hit-counts" you will see which access-list are getting access.

New Member

Re: pix ver 6.3 Access list

The address on the LAN that the external user needs to access is 10.6.128.220. The 10.6.228.160/28 is the range of addresses given the to external users when they connect to the PIX VPN.

New Member

Re: pix ver 6.3 Access list

Hi scootertgm,

I don't know how your configuration it's work but the access-list is wrong.

You need this:

access-list inbound permit tcp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq (service_you_need)

access-list inbound deny ip any 10.6.228.160 255.255.255.240

Because, you have the VPN tunel and the 10.6.228.160/28 addresses need access the 10.6.128.220 addresses. Verify all services they need acccess and create a object-group to be more easy.

If you must allow the addresses of the VPN to access more resources on your network don't forget the minimum privileges and use "permit ip" only for their last option.

New Member

Re: pix ver 6.3 Access list

I changed the access list line 1-4 to reflect the following:

access-list inbound permit tcp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq www

access-list inbound permit udp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq www

access-list inbound permit udp 10.6.228.160 255.255.255.240 host 10.6.128.220 eq 44818

access-list inbound deny ip any 10.6.228.160 255.255.255.240

Below shows my vpn adapter is getting the correct ip address:

Connection-specific DNS Suffix . : xxxxxx

IP Address. . . . . . . . . . . . : 10.6.228.161

Subnet Mask . . . . . . . . . . . : 255.255.255.240

Default Gateway . . . . . . . . . : 10.6.228.161

C:\>

I still am able to access resources on the network other than just the specified address.

New Member

Re: pix ver 6.3 Access list

Hi,

where is this ACL applied? i eman in which interface on what direction is this applied.

Practice is to apply the ACL blocking at the source. meaning apply te ACL in the interface in which the users will come in.

New Member

Re: pix ver 6.3 Access list

I think you just have your access-list applied to the wrong place.

The VPN group pool (10.6.228.160/28) is coming from the outside interface so you should apply the access-list on that interface (inbound). If you want to limit what an user on your network can access on the remote VPN user then you would use your example (I'm not sure what it is that you want).

Also verify that if you are not bypassing the access-lists, which is the default configuration when you do a remote/site-to-site VPN.

Let me know if this helps.

Regards,

Paulo

New Member

Re: pix ver 6.3 Access list

The access list is applied to the inside interface on the inbound direction.

It's not a site-to-site vpn but rather a client based VPN.

If I am understanding, I should create a second ACL and apply it to the outside interface to restrict where the user can go?

New Member

Re: pix ver 6.3 Access list

I tried appling the ACL on the outside interface inbound, however it still did not block the traffic.

At this point I am having to restrict the traffic at the layer three switch on the next hop.

197
Views
0
Helpful
10
Replies
CreatePlease to create content