Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

acl's step in the wrong direction...

Hey all, please forgive my ignorance on the pix os and acls, but I am missing something.

I start with a pix out of the box. I can set it up with no acl's and can browse the net, dowload kazaa, etc., just like I thought. I apply 3 acl's and I can not do a thing. below is the before config file, the commands i issued, and the after config file. A little background, pix connected to cable modem with dynamic ip address. What am I missing?

Thanks in advance

XXXXXXXXXXX(config)# sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXX encrypted

hostname XXXXXXXXXXXX

domain-name XXXXXXXXXXXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.100.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.100.10-192.168.100.99 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:7b4ee383b106a8b8c60d546296d022df

: end

The commands

XXXXXXXXXXX(config)# access-l 100 permit tcp any any eq 80

XXXXXXXXXXX(config)# access-l 100 permit tcp any any eq 53

XXXXXXXXXXX(config)# access-l 100 permit tcp any any eq 110

XXXXXXXXXXX(config)# access-g 100 in interface inside

The after

XXXXXXXXXXXX(config)# sh run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXX encrypted

hostname XXXXXXXXXXXXXX

domain-name XXXXXXXXXXXXXXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any eq domain

access-list 100 permit tcp any any eq pop3

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.100.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.100.10-192.168.100.99 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:7b4ee383b106a8b8c60d546296d022df

: end

5 REPLIES
New Member

Re: acl's step in the wrong direction...

With that ACl applied to the inside interface the PIX is dropping all the traffic, you should not apply that at all ,if you need to really control it, the ACL should like

access-list 100 deny ip any any

access-list 100 permit tcp any eq www any

access-list 100 permit tcp any any eq domain

access-list 100 permit tcp any any eq pop3

New Member

Re: acl's step in the wrong direction...

I have little confusion, if we deny ip packets ,how it will work at layer 4.

I mean wud'nt it be an implicit deny. sud we to add

permit ip any any at the end ??

Silver

Re: acl's step in the wrong direction...

by default, pixen allow all outbound traffic out, and nothing in (unless it is a stateful response to an outbound request). By applying an acl to the inside int, you restrict outbound traffic to only that which you explicitly permit in the ACL

Silver

Re: acl's step in the wrong direction...

Your web traffic is allowed. However, your DNS is not. Instead of opening up UDP/53, you opened TCP/53. You need to open up UDP/53 for the name ressolution, and if you have authoritative DNS server in your network, then tcp/53 is required to be opened for the zone transfer. So, just add the following line on your existing config and then you should be able to start browsing.

access-l 100 permit udp any any eq 53

After entering the above line, please execute "clear xlate" and "clear arp" if you still have any issues.

Silver

Re: acl's step in the wrong direction...

Also, please note that you are opening POP3. If you are using SMTP for your e-mail client then you will run into problem. Just a FYI.

184
Views
0
Helpful
5
Replies
CreatePlease login to create content