10-24-2005 03:11 PM - edited 03-09-2019 12:48 PM
Hi,
to limit outbound access to only http/s pop3 smtp to groups of pcs, i'm using :
access-list inside_access_in permit udp host landns any eq domain
access-list inside_access_in permit tcp object-group http-https any eq www
access-list inside_access_in permit tcp object-group http-https any eq https
access-list inside_access_in permit tcp object-group ftp any eq ftp
access-list inside_access_in permit tcp object-group pop3-smtp any eq pop3
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
access-list inside_access_in permit tcp object-group pop3-smtp any eq smtp
this doesn´t work!
i'm i missing something? i'm doing this in a
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
when i put
access-list inside_access_in permit ip any any
i get access but this is not my objective...
10-24-2005 09:14 PM
do "sh access-list inside_access_in" to verify whether the acl entries have been hitted or not.
10-25-2005 06:31 AM
yes they are used, but when i removed
access-list inside_access_in permit ip any any
game over i can't access any site
i can use nslookup and resolve the ip to dns but i can access either with ip or dns name
help needed and thanks for your reply
10-25-2005 03:43 PM
let forget the permit ip any any for a moment.
just would like to clarify, when you issue the command "sh access-list inside_access_in", the "hitcnt" of each entry is increasing or not.
e.g.
access-list inside_access_in line 1 permit udp host landns any eq domain (hitcnt=10)
access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=13)
access-list inside_access_in line 3 permit tcp object-group http-https any eq https (hitcnt=15)
access-list inside_access_in line 4 permit tcp object-group ftp any eq ftp (hitcnt=12)
access-list inside_access_in line 5 permit tcp object-group pop3-smtp any eq pop3 (hitcnt=11)
then kick off a new internet browsing session, and issue the command "sh access-list inside_access_in" again, you should seen the "hitcnt" for line 2 increased from 13 to 14.
e.g.
access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=14)
10-25-2005 03:58 PM
yes it increases
10-28-2005 01:58 PM
hi,
thanks for all of your anwsers!
my problem i guess was connected to syslog! :)
i had log all data logged via tcp, so when the syslog server could not be contacted because i only had access list to http,https,dns,ftp outside connections where dead...
i now have udp instead....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide