Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Limit outbound access to http

Hi,

to limit outbound access to only http/s pop3 smtp to groups of pcs, i'm using :

access-list inside_access_in permit udp host landns any eq domain

access-list inside_access_in permit tcp object-group http-https any eq www

access-list inside_access_in permit tcp object-group http-https any eq https

access-list inside_access_in permit tcp object-group ftp any eq ftp

access-list inside_access_in permit tcp object-group pop3-smtp any eq pop3

access-list inside_access_in permit tcp object-group pop3-smtp any eq smtp

this doesn´t work!

i'm i missing something? i'm doing this in a

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

11 REPLIES

Re: Limit outbound access to http

Have you applied:

access-group inside_access_in in interface inside

See also:

Using and Configuring PIX Object Groups

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

sincerely

Patrick

New Member

Re: Limit outbound access to http

hi Patrick,

Yes i have

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

when i put

access-list inside_access_in permit ip any any

i get access but this is not my objective...

New Member

Re: Limit outbound access to http

Exactly what fails? Is it possible a DNS issue? It's not clear as to where the hosts in the object groups are resolving their DNS. I would assume that Host LANDNS is the DNS server on the segment and the other hosts look to it for DNS resolution. This is not clear from what I can see though.

As a diagnostic step, try going to Cisco.com, and if that fails, try going to Cisco.com using it's IP (http://198.133.219.25). This should determine if this is a DNS issue or not.

New Member

Re: Limit outbound access to http

but when i open all access to external with:

access-list inside_access_in permit ip any any

it works, if i remember dns entry is working i can resolve name with nslookup

Re: Limit outbound access to http

Hi,

It shouldn't be an issue to use ACL to allow specific service ports to go out.

Based on my experience, what I did was to have 'old-fashion' ACL allowing each machine to go out, but at the same time, I have the ACL ready with object-group as preferred method.

The reason was to verify my ACL configuration, where 'old-fashion' ACL always working fine. If the new ACL with object-group doesn't work, look at the hit count using "show access-list

Among other possibility could be due to the object-group parameter.

Is it possible for you to show us the object-group configuration parameter to help us understand your config better?

Rgds,

AK

New Member

Re: Limit outbound access to http

names

name 192.168.15.100 xpmachine

object-group network pop3-smtp

network-object xpmachine255.255.255.255

object-group network http-https

network-object xpmachine255.255.255.255

object-group network ftp

network-object xpmachine 255.255.255.255

Re: Limit outbound access to http

Hi,

I can see that you created 3 object-groups for the same host. Maybe instead of doing this, create an object-group containing the tcp service ports - www, https, ftp & SMTP (based on your info), and use ACL to allow the xpmachine to access outside using the object-group service. Add or remove any service port as you wish.

You can always create object-group for host if you have multiple hosts to access outside/Internet. This will simplify your ACL and minimize the entry.

Example:

object-group service For_XPMACHINE tcp

port-object eq 21

port-object eq 25

port-object eq 80

port-object eq 443

access-list inside_access_in permit tcp host xpmachine

access-list inside_access_in permit tcp host xpmachine object-group For_XPMACHINE

access-group inside_access_in in interface inside

Hope this can help.

Rgds,

AK

Re: Limit outbound access to http

Sorry, pls ignore the 1st line of the ACL entry - forgot to remove it. Correct entry should be as follow:

access-list inside_access_in permit tcp host xpmachine object-group For_XPMACHINE

access-group inside_access_in in interface inside

New Member

Re: Limit outbound access to http

that was just an example, i have a lot more machines.

when i remove access-list inside_access_in permit ip any any i can still resolve names to ip address

but i can't access either with ip or dns name!

Re: Limit outbound access to http

"when i remove access-list inside_access_in permit ip any any i can still resolve names to ip address

but i can't access either with ip or dns name!..."

This is true as your NAT & GLOBAL statement allow all/any internal host to access anywhere outside/Internet.

The reason to have ACL is to permit or deny access by internal host. In your case, you ACL allows few tcp services and one (1) udp (dns-53).

I assumed all your clients point to 'landns' as sole DNS server. To verify its workability, create a test ACL (use IP instead of name for host) that 'deny ip any any' or just deny udp 53 and permit all others. Bind it to the 'inside' interface. Perform nslookup and ping using name & IP from the DNS server itself and other machines pointing using landns as DNS server. BTW, your 'landns' might still have entries (due to caching).

If the landns is clean and udp (53) port has been denied, by right, the landns should not be able to perform nslookup on its own or successfully resolved query by its clients. Try to do the same thing from any of your server/host.

If all are still working, it could be due to other issue. If the nslookup or pinging using name is failed, then your ACL works fine. Check the ACL hitcount and log entry for verification.

On the other hand, I am not sure if this could help, but since you mentioned you can't access outside using ip or name, configure static map of your 'landns' server to PIX outside interface IP Address. Then configure port redirection to allow incoming dns reply from external or ISP dns server to your internal dns server (landns):

At this stage, you must have ACL on your inside interface permitting your selected service ports, including DNS to your landns server.

Interface port redirection example:

- outside interface ip address : x.x.x.x 255.255.255.0

- landns ip : 10.10.10.10 / 24

static (inside,outside) udp interface 53 10.10.10.10 53 netmask 255.255.255.255

access-list outside permit udp any host x.x.x.x eq 53

access-list outside deny ip any any

access-group outside in interface outside

access-list inside_access_in permit udp host landns any eq domain

access-list inside_access_in permit tcp ....

access-list inside_access_in deny ip any any

access-group inside_access_in in interface inside

Give it a try.

Rgds,

AK

New Member

Re: Limit outbound access to http

hi,

thanks for all of your anwsers!

my problem i guess was connected to syslog! :)

i had log all data logged via tcp, so when the syslog server could not be contacted because i only had access list to http,https,dns,ftp outside connections where dead...

i now have udp instead....

118
Views
0
Helpful
11
Replies