PIX & access-list

Discussion in 'Cisco' started by soup_or_power@yahoo.com, Jun 1, 2006.

  1. Guest

    I had this rule in the PIX to accept https requests from a specific
    host

    access-list incoming permit tcp 255.138.142.224 255.255.255.224 host
    209.255.196.216 eq 443

    But it no longer works! 209.255.196.216 is the ip of a router. Can
    anyone please tell me why this rule will fail all of a sudden?

    Thanks for your help.
     
    , Jun 1, 2006
    #1
    1. Advertising

  2. Guest

    Re: PIX & access-list

    Has anything changed?

    wrote:
    > I had this rule in the PIX to accept https requests from a specific
    > host
    >
    > access-list incoming permit tcp 255.138.142.224 255.255.255.224 host
    > 209.255.196.216 eq 443
    >
    > But it no longer works! 209.255.196.216 is the ip of a router. Can
    > anyone please tell me why this rule will fail all of a sudden?
    >
    > Thanks for your help.
     
    , Jun 1, 2006
    #2
    1. Advertising

  3. Matt Scoff Guest

    Re: PIX & access-list

    show log
    after the failure helps me...Hopefully you have logging turned on.

    On 1 Jun 2006 13:32:56 -0700, ""
    <> wrote:

    >Has anything changed?
    >
    > wrote:
    >> I had this rule in the PIX to accept https requests from a specific
    >> host
    >>
    >> access-list incoming permit tcp 255.138.142.224 255.255.255.224 host
    >> 209.255.196.216 eq 443
    >>
    >> But it no longer works! 209.255.196.216 is the ip of a router. Can
    >> anyone please tell me why this rule will fail all of a sudden?
    >>
    >> Thanks for your help.
     
    Matt Scoff, Jun 1, 2006
    #3
  4. In article <>,
    <> wrote:
    >I had this rule in the PIX to accept https requests from a specific
    >host


    >access-list incoming permit tcp 255.138.142.224 255.255.255.224 host 209.255.196.216 eq 443


    >But it no longer works! 209.255.196.216 is the ip of a router. Can
    >anyone please tell me why this rule will fail all of a sudden?


    If you have access-group incoming in interface inside
    then that is the wrong ACL entry to accept https requests from
    a specific host. That ACL entry would be appropriate for accepting
    https requests that originate at 255.138.142.224 255.255.255.224
    and which are destined for the IP 209.255.196.216 .

    You indicate that 209.255.196.216 is the IP of a router. Does that
    mean that you want 255.138.142.224 255.255.255.224 to be able to
    use the web interface of the router itself (i.e., to manage the
    router)? If so, then have you checked to be sure that the router
    is still accepting requests? Have you checked that there is still
    a static for 209.255.196.216? Have you checked the pix logs to
    see whether the incoming requests are being refused by the PIX?
     
    Walter Roberson, Jun 1, 2006
    #4
  5. Guest

    Re: PIX & access-list

    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    > >I had this rule in the PIX to accept https requests from a specific
    > >host

    >
    > >access-list incoming permit tcp 255.138.142.224 255.255.255.224 host 209.255.196.216 eq 443

    >
    > >But it no longer works! 209.255.196.216 is the ip of a router. Can
    > >anyone please tell me why this rule will fail all of a sudden?

    >
    > If you have access-group incoming in interface inside
    > then that is the wrong ACL entry to accept https requests from
    > a specific host. That ACL entry would be appropriate for accepting
    > https requests that originate at 255.138.142.224 255.255.255.224
    > and which are destined for the IP 209.255.196.216 .
    >
    > You indicate that 209.255.196.216 is the IP of a router.


    Oops sorry, the router IP is 255.138.142.224.

    > Does that
    > mean that you want 255.138.142.224 255.255.255.224 to be able to
    > use the web interface of the router itself (i.e., to manage the
    > router)? If so, then have you checked to be sure that the router
    > is still accepting requests? Have you checked that there is still
    > a static for 209.255.196.216? Have you checked the pix logs to
    > see whether the incoming requests are being refused by the PIX?


    How do I turn on logging?

    Thanks for your help
     
    , Jun 2, 2006
    #5
  6. Re: PIX & access-list

    In article <>,
    <> wrote:
    >Walter Roberson wrote:
    >> In article <>,
    >> <> wrote:
    >> >I had this rule in the PIX to accept https requests from a specific
    >> >host


    >> >access-list incoming permit tcp 255.138.142.224 255.255.255.224 host 209.255.196.216 eq 443


    >Oops sorry, the router IP is 255.138.142.224.


    If the router IP is 255.138.142.224 then why does your netmask
    also end in 224 -- that would make the router IP the base network
    IP of the subnet, and the base network IP of any subnet is reserved.
    (If you look at the math, it turns out that if you have a netmask of
    255.255.255.X then any IP that ends with X must be the reserved base IP
    of the subnet.)

    It is true that in PIX ACLs, the masks are really bitmasks rather
    than netmasks, so the line is not necessarily invalid (just suspicious) --
    but even so it contradicts your original statement that you want to
    accept https requests from a specific -host-. And if you want to
    accept https from a specific host, then you wouldn't be putting your
    router IP there ?!


    >How do I turn on logging?


    logging on
    logging timestamp
    logging buffered notifications
    logging queue 512

    This will send a copy of all messages of priority "notification" or
    higher to the PIX wrap-around message buffer, which can be displayed
    by using the command show log

    The memory buffer usually can only hold a few seconds worth of
    information, so you would normally want to enable syslog on a server and
    then,

    logging trap notifications
    logging host inside SERVERIP

    This will send a copy of all messages of priority "notification" or
    higher to the syslog process on host SERVERIP.

    Logging level notification is often enough to solve "Duh, why didn't
    I think of that!" type of ACL problems, but if you have a difficult
    ACL problem then you would want to switch to logging trap debugging
    You probably only want to use debugging level to a syslog server
    (and not to the onboard memory buffer) because the traffic volume
    of messages is fairly high at debugging level.

    To recap briefly: "logging buffered" controls the level of messages
    available via "show log", and "logging trap" controls the level
    of messages sent to the syslog server.
     
    Walter Roberson, Jun 2, 2006
    #6
  7. Guest

    Re: PIX & access-list

    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    > >Walter Roberson wrote:
    > >> In article <>,
    > >> <> wrote:
    > >> >I had this rule in the PIX to accept https requests from a specific
    > >> >host

    >
    > >> >access-list incoming permit tcp 255.138.142.224 255.255.255.224 host 209.255.196.216 eq 443

    >
    > >Oops sorry, the router IP is 255.138.142.224.

    >
    > If the router IP is 255.138.142.224 then why does your netmask
    > also end in 224 -- that would make the router IP the base network
    > IP of the subnet, and the base network IP of any subnet is reserved.
    > (If you look at the math, it turns out that if you have a netmask of
    > 255.255.255.X then any IP that ends with X must be the reserved base IP
    > of the subnet.)


    I fudged the numbers to not reveal the actual IP addresses. The netmask
    is
    set so that all the hosts behind the router can access the https on the
    server.
    >
    > It is true that in PIX ACLs, the masks are really bitmasks rather
    > than netmasks, so the line is not necessarily invalid (just suspicious) --
    > but even so it contradicts your original statement that you want to
    > accept https requests from a specific -host-. And if you want to
    > accept https from a specific host, then you wouldn't be putting your
    > router IP there ?!


    I think I confused you. Sorry! I meant to say that all the hosts behind
    the
    router that qualify to send https request after applying the netmask
    are unable
    to access the server. I don't know much about the router set up, except
    that
    it is in Phillippines and the engineers there tell me that the machines
    are
    configured to be on the same subnet as the router (is there any other
    way?).
    BTW, the server is located in the US and the access-list rule did not
    have
    any problems until now.

    >
    > >How do I turn on logging?

    >
    > logging on
    > logging timestamp
    > logging buffered notifications
    > logging queue 512
    >
    > This will send a copy of all messages of priority "notification" or
    > higher to the PIX wrap-around message buffer, which can be displayed
    > by using the command show log
    >
    > The memory buffer usually can only hold a few seconds worth of
    > information, so you would normally want to enable syslog on a server and
    > then,
    >
    > logging trap notifications
    > logging host inside SERVERIP
    >
    > This will send a copy of all messages of priority "notification" or
    > higher to the syslog process on host SERVERIP.
    >
    > Logging level notification is often enough to solve "Duh, why didn't
    > I think of that!" type of ACL problems, but if you have a difficult
    > ACL problem then you would want to switch to logging trap debugging
    > You probably only want to use debugging level to a syslog server
    > (and not to the onboard memory buffer) because the traffic volume
    > of messages is fairly high at debugging level.
    >
    > To recap briefly: "logging buffered" controls the level of messages
    > available via "show log", and "logging trap" controls the level
    > of messages sent to the syslog server.


    Thanks! I will give it a try. Also let me know how to view the logs. I
    don't know
    my way around Pix IOS. Can you recommend a good book? I browsed in
    B&N without much success. They have all kinds of Cisco books. I prefer
    something like 'PIX for dummies' --something basic. I bought the
    'Firewall
    for Dummies' which was enough to let me get started.
     
    , Jun 2, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill F
    Replies:
    1
    Views:
    460
    Walter Roberson
    Nov 25, 2003
  2. J Bard
    Replies:
    2
    Views:
    4,073
    J Bard
    Jan 10, 2004
  3. PS2 gamer
    Replies:
    6
    Views:
    7,248
    Hansang Bae
    Jun 9, 2004
  4. paeengi8
    Replies:
    0
    Views:
    853
    paeengi8
    Jun 25, 2007
  5. Southern Kiwi
    Replies:
    6
    Views:
    2,340
    Southern Kiwi
    Mar 19, 2006
Loading...

Share This Page