cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1315
Views
0
Helpful
9
Replies

PIX Access-lists

apaxson
Level 1
Level 1

I am currently integrating several companies into a single company. This includes integrating Microsoft Exchange and Microsoft Networks. On one company, I started adding Access-lists to open certain ports that NT requires to talk. When I added the Access-list to open these ports, I bound them to the inside interface ("access-group xxxx in interface inside"). When I did that, I lost all my internet connections.

I have NAT enabled to a single outside address which is bound to the outside interface. Why would I lose this?

global (outside) 1 x.x.x.x netmase x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

When I added the "access-group x in interface inside" I lost my internet. I had to "clear access-group" to remove the entry, and I got my internet back up. Can anyone help?

Thanks!

Aaron Paxson

Systems Admin

Teters Floral Products

aaronp@teters.com

9 Replies 9

zletaief
Level 1
Level 1

If I resume the problem: you would like to keep an internal sever visible from External network?

If it was the case, you have to apply the access-list to outside interface: applying it to the inside one will permit only the specified traffic.

Either, you have to map the inside servers with an routed IP address:

static (inside, outside) global_ip_add local_ip_add

No, I just want to access these systems just on the internal network, which is why I'm binding it to the inside interface. All incoming traffic from Frame-Relay connections is being routed to the inside interface of the PIX (from the Frame Router).

NAT is bound to my outside interface. Why did I lose internet when I bound my access-list to the inside interface?

I verified this by "clear access-group x". This brought my internet translations back up, and shut down my access-list. I'm stumped on why these conflicted, and how to get them to live with each other harmoniously.

thanks for the reply!!!

Aaron

Hi Aaron,

By default, all traffics are allowed from the inside network to the outside...but once you bind an access-list to the inside interface, you can throw this out the door.

On your senario, I think you were suppose to bind the access-list to the outside interface, because the outside systems are trying to do MS networking to the inside systems. Hope this helped...

Correct. However, I'm not going from outside to inside, or inside to outside.

Maybe if I map out the configuration a bit better.

Company A is on network 172.16.0.0

Company B is on network 172.18.0.0

They are connected together via Frame-Relay. The Frame-Relay router on Company A has a default route pointing to the inside interface of the PIX. (In other words, all incoming traffic passes through the PIX's inside interface). The same holds true for Company B. I want Company B to access systems on Company A's network. Since the Frame-relay router on Company A passes all incoming traffic to the inside interface of the PIX, I need to allow certain traffic to pass through the inside interface.

I hope this makes sense. Now, if I were to have designed these networks, I probably would have placed the Frame traffic in a DMZ, but alas, this is what I have to work with.

Does this help??

Aaron

To be honest with you, when I first started, I didn't think I would have to set up an Access-list since the traffic was already on the inside interface. But, in working on one of the PIX, I realized I couldn't do certain things. I added an Access-list, and it seemed to do the job.

Is this incorrect? Perhaps just coincidental with something else?

Even if you have NAT applied to inside, your access-list also applied to inside, will filtered all trafic going to this interface. It's additive...

When you add access-list applied to inside, you must specified the ports or addresses you permit for all the traffic from inside.

Benoît

mike-banks
Level 1
Level 1

Aaron,

It sounds like Company A and Company B's routers are connected via a frame link. Then you have the default route set on both routers to go to the inside interface of the PIX. Based on this, both companies have access to the internet. If this is the case why don't you just enable a common routing protocol between the two routers such as RIP,IGRP or OSPF. This will allow the two companies computers to locate each other.

Mike, say right...

We understand both company are physically connected to the inside of the firewall. Since PIX isn't a router, it cannot route traffic between both, you should add static route in both routers or dynamic routing protocol. In your case, static route may be enough. But, be sure, you cannot use PIX to route traffic between two internal routers.

Benoît

jeffliu
Level 1
Level 1

Config: PIX 520, software 5.1(2), currently we static nat for about 40 PC inside firewall in order to communicate to a Nortel VPN concentrater of another big corporation.All PC have Nortel VPN client.

Question: Can I just have a few statements so I could have those PC go through one IP address?

Thanx!

Jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: