|
|
|
|
01-12-2008, 10:11 AM
|
#1 |
Pix 515E Access List issue
Hi there,
I am having some trouble with what should be a fairly straightforward access list and I am hoping that someone can spot an error. I have a pix and I want to permit SSL traffic (443) through an access list on the external interface of the pix to an SSL host on the internal LAN. My access list is this: "access-list from-outside-in permit tcp any host ISA01 eq https log 4" Host ISA01 has a name configured on the Pix as follows "Name 10.1.1.10 ISA01" This ACL is bound to the external interface with this command: "access-group from-outside-in in interface outside" The Public IP of 20.20.20.20 has a static NAT map to 10.1.1.10: "static (inside,outside) 20.20.20.20 10.1.1.10 netmask 255.255.255.255 0 0" When I try to access https://20.20.20.20 from the Internet a log is generated as follows: "106023: Deny tcp src outside:82.41.56.xxx/4004 dst inside:20.20.20.20/443 by access-group "from-outside-in" This is the part I don't understand as I am specifically allowing 443 from anywhere to my internal host. You can see that access to 20.20.20.20 port 443 is being blocked. Additionally, when I edit the ACL to be this: "access-list from-outside-in permit tcp any any eq https log 4" The connection is permitted and a log of this is generated: 106100: access-list from-outside-in permitted tcp outside/82.41.56.xxx(4007) -> inside/20.20.20.20(443) hit-cnt 1 (first hit) We can see that that access is granted to 20.20.20.20 port 443. Now, oddly enough when I look at the ACL counters this ACL deny is not logged access-list from-outside-in; 1 elements access-list from-outside-in line 1 permit tcp any host ISA01 eq https log 4 interval 300 (hitcnt=0) When I do a show xlate, the NAT looks OK: HLI-Pix# sh xlat 1 in use, 2 most used Global 20.20.20.20 Local ISA01 Obviously I don’t want to allow all traffic to all SSL hosts internally, I want to lock it down to just my one box called ISA01. So in summary, When I permit 443 traffic specifically to ISA01 the ACL blocks it, when I open up the ACL, the traffic is permitted to the same host. I am not very experienced with the Pix and am hoping someone somewhere can spot something that is not correct Thanks for your help Ally ally0000 |
|
|
|
|
01-14-2008, 12:26 PM
|
#2 |
|
Junior Member
Join Date: Jan 2008
Posts: 4
|
So after much testing I still didn't get this ACL to work despite my config looking correct. What I ended up doing was finding out if there are any other SSL hosts and then denying 443 traffic to them and then permitting the 443 traffic from 'any' to 'any'.
I would still be interested to hear from anyone if they think they know why my ACL was blocking 443 traffic. Cheers Ally ally0000 |
|
|
|
|
01-14-2008, 08:28 PM
|
#3 |
|
Junior Member
Join Date: Jan 2008
Location: California
Posts: 3
|
Ally, I don't know PIX but I have a good understanding of Firewall and NAT. The first line of your ACL does not look right:
"access-list from-outside-in permit tcp any host ISA01 eq https log 4" Since you NAT https traffic from outside (external IP) 20.20.20.20 to internal IP 10.1.1.10 your access list should be: "access-list from-outside-in permit tcp any host 20.20.20.20 eq https log 4" isilla |
|
|
|
|
02-15-2008, 01:34 PM
|
#4 |
|
Junior Member
Join Date: Jan 2008
Posts: 4
|
This solution worked, thanks very much for posting it.
Cheers Ally ally0000 |
|
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| I cant access the MCP site | T3M4N | MCTS | 1 | 03-18-2008 06:21 PM |
| Pix 515E Access ist issue | ally0000 | Hardware | 0 | 01-12-2008 10:09 AM |
| Digital DIGEST - LIVE UPDATE Issue 41 | Ablang | DVD Video | 0 | 01-05-2004 11:54 PM |
| Digital DIGEST - LIVE UPDATE Issue 40 | Ablang | DVD Video | 0 | 12-15-2003 02:45 PM |
| Digital DIGEST - LIVE UPDATE Issue 38 | Ablang | DVD Video | 0 | 11-09-2003 01:31 AM |
