Pix 515E Access List issue

Discussion in 'Hardware' started by ally0000, Jan 12, 2008.

  1. ally0000

    ally0000

    Joined:
    Jan 12, 2008
    Messages:
    4
    Hi there,

    I am having some trouble with what should be a fairly straightforward access list and I am hoping that someone can spot an error. I have a pix and I want to permit SSL traffic (443) through an access list on the external interface of the pix to an SSL host on the internal LAN.

    My access list is this:

    "access-list from-outside-in permit tcp any host ISA01 eq https log 4"

    Host ISA01 has a name configured on the Pix as follows

    "Name 10.1.1.10 ISA01"

    This ACL is bound to the external interface with this command:

    "access-group from-outside-in in interface outside"

    The Public IP of 20.20.20.20 has a static NAT map to 10.1.1.10:

    "static (inside,outside) 20.20.20.20 10.1.1.10 netmask 255.255.255.255 0 0"

    When I try to access https://20.20.20.20 from the Internet a log is generated as follows:

    "106023: Deny tcp src outside:82.41.56.xxx/4004 dst inside:20.20.20.20/443 by access-group "from-outside-in"

    This is the part I don't understand as I am specifically allowing 443 from anywhere to my internal host. You can see that access to 20.20.20.20 port 443 is being blocked. Additionally, when I edit the ACL to be this:

    "access-list from-outside-in permit tcp any any eq https log 4"

    The connection is permitted and a log of this is generated:

    106100: access-list from-outside-in permitted tcp outside/82.41.56.xxx(4007) -> inside/20.20.20.20(443) hit-cnt 1 (first hit)

    We can see that that access is granted to 20.20.20.20 port 443.

    Now, oddly enough when I look at the ACL counters this ACL deny is not logged

    access-list from-outside-in; 1 elements
    access-list from-outside-in line 1 permit tcp any host ISA01 eq https log 4 interval 300 (hitcnt=0)

    When I do a show xlate, the NAT looks OK:

    HLI-Pix# sh xlat
    1 in use, 2 most used
    Global 20.20.20.20 Local ISA01

    Obviously I don’t want to allow all traffic to all SSL hosts internally, I want to lock it down to just my one box called ISA01.

    So in summary, When I permit 443 traffic specifically to ISA01 the ACL blocks it, when I open up the ACL, the traffic is permitted to the same host.

    I am not very experienced with the Pix and am hoping someone somewhere can spot something that is not correct

    Thanks for your help

    Ally
    ally0000, Jan 12, 2008
    #1
    1. Advertising

  2. ally0000

    ally0000

    Joined:
    Jan 12, 2008
    Messages:
    4
    So after much testing I still didn't get this ACL to work despite my config looking correct. What I ended up doing was finding out if there are any other SSL hosts and then denying 443 traffic to them and then permitting the 443 traffic from 'any' to 'any'.

    I would still be interested to hear from anyone if they think they know why my ACL was blocking 443 traffic.

    Cheers

    Ally
    ally0000, Jan 14, 2008
    #2
    1. Advertising

  3. ally0000

    isilla

    Joined:
    Jan 11, 2008
    Messages:
    3
    Location:
    California
    Ally, I don't know PIX but I have a good understanding of Firewall and NAT. The first line of your ACL does not look right:

    "access-list from-outside-in permit tcp any host ISA01 eq https log 4"

    Since you NAT https traffic from outside (external IP) 20.20.20.20 to internal IP 10.1.1.10 your access list should be:

    "access-list from-outside-in permit tcp any host 20.20.20.20 eq https log 4"
    isilla, Jan 14, 2008
    #3
  4. ally0000

    ally0000

    Joined:
    Jan 12, 2008
    Messages:
    4
    This solution worked, thanks very much for posting it.

    Cheers

    Ally
    ally0000, Feb 15, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,014
    J Bard
    Jan 10, 2004
  2. PS2 gamer
    Replies:
    6
    Views:
    6,812
    Hansang Bae
    Jun 9, 2004
  3. walter matthews

    515e access-list problems

    walter matthews, Aug 6, 2004, in forum: Cisco
    Replies:
    2
    Views:
    457
    Glenn Rowe
    Aug 6, 2004
  4. leuzz
    Replies:
    3
    Views:
    574
  5. ally0000

    Pix 515E Access ist issue

    ally0000, Jan 12, 2008, in forum: Hardware
    Replies:
    0
    Views:
    984
    ally0000
    Jan 12, 2008
Loading...

Share This Page