Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL for Local Lan to Internet

Hi,

i would filter traffic of my client on local lan to access to internet only this protocol: http, https and dns query (only from IP 192.168.149.1).

I have try to configure acl in my pix and this is my sample configuration , but it not work.

Why?

: Saved

: Written by enable_15 at 19:04:43.669 GMT Wed Sep 28 2005

PIX Version 7.0(2)

names

name 192.168.149.1 IperRouter

name 192.168.149.2 IperSwitch1

name 10.10.10.1 RouterISPTelecom

name 192.168.0.0 LocalLAN

!

interface Ethernet0

description Interfaccia Interna LOCAL

nameif inside

security-level 100

ip address 192.168.149.3 255.255.255.128

!

interface Ethernet1

description Interfaccia Esterna PUBBLIC

nameif outside

security-level 0

ip address 10.10.10.10 255.255.255.0

!

enable password xxxx

passwd xxxx

hostname IperPIX

domain-name sample.com

ftp mode passive

clock timezone GMT 1

object-group service USER-SERVICE tcp

port-object eq www

port-object eq domain

port-object eq https

access-list inside_out extended permit tcp 192.168.149.0 255.255.255.128 any object-group USER-SERVICE

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

monitor-interface inside

monitor-interface outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_out in interface inside

route outside 0.0.0.0 0.0.0.0 RouterISPTelecom 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxx password xxx

privilege 15

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet 192.168.149.4 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end

THANKS

  • Other Security Subjects
2 REPLIES
New Member

Re: ACL for Local Lan to Internet

hi

u mean to say 192.168.149.1 should be goin online with object-group USER-SERVICE rite, then this would help

#access-list inside_out extended permit tcp host 192.168.149.1 any object-group USER-SERVICE

thanks

Re: ACL for Local Lan to Internet

I think you mixed up UDP 53 (DNS query) with DNS zone transfer TCP 53. Thats why this does not work !!

Add this line to your Access-list:

access-list inside_out extended permit udp 192.168.149.0 255.255.255.128 any eq 53

Do not forget to remove zone transfer TCP 53 in the objets group.

sincerely

Patrick

107
Views
0
Helpful
2
Replies