PIX506 - ACL Help

Discussion in 'Cisco' started by Sam, Jun 14, 2007.

  1. Sam

    Sam Guest

    I am adding an internal firewall to separate two networks, one public
    and one private. What I need is people on the public network to access a
    webserver while at the same time blocking all other traffic so nobody
    can access the private domain. Generally the public will need internet
    access (not a problem) but occasionally access internal webservers in
    the primary network. I have been able to do one or the other, but not
    both. Right now people can access both the WAN and private LAN. If I put
    in restrictions I block all access, both private network as well as
    internet.

    If I put in the following config it does not work:
    access-list 101 permit tcp 192.168.1.0 255.255.255.0 host
    192.168.111.4 eq www
    access-list 101 deny ip any 192.168.1.0 255.255.255.0
    192.168.111.0 255.255.255.0

    This just give me an error when I try to enter (syntax). I was able to
    put in an ACL that did block all 192.168.111.0 network, but the problem
    with this is then I can not access the gateway.


    Here is a basic outline of the networks in order
    T1
    PIX506 1 -Network 1 (Private) 63.xxx.xxx.x > 192.168.111.0/24
    PIX506 2 -Network 2 (Public) 192.168.111.30 > 192.168.1.0/24
    (Need to access webserver 192.168.111.3 but NOTHING else)


    Here is the current config:
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    domain-name cpi.local.com
    names
    icmp permit any outside
    icmp permit any inside
    ip address outside 192.168.111.30 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    global (outside) 1 192.168.111.40
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    static (inside,outside) 192.168.111.31 192.168.1.2 netmask
    255.255.255.255 0 0
    static (inside,outside) 192.168.111.32 192.168.1.3 netmask
    255.255.255.255 0 0
    static (inside,outside) 192.168.111.33 192.168.1.4 netmask
    255.255.255.255 0 0
    static (inside,outside) 192.168.111.34 192.168.1.5 netmask
    255.255.255.255 0 0
    static (inside,outside) 192.168.111.35 192.168.1.6 netmask
    255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 PIX506 1
    dhcpd dns 209.150.200.10 64.65.128.6
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain cpi.local2.com
    dhcpd enable inside
    Sam, Jun 14, 2007
    #1
    1. Advertising

  2. Sam

    ScottyC Guest

    On Jun 14, 1:49 am, Sam <> wrote:
    > I am adding an internal firewall to separate two networks, one public
    > and one private. What I need is people on the public network to access a
    > webserver while at the same time blocking all other traffic so nobody
    > can access the private domain. Generally the public will need internet
    > access (not a problem) but occasionally access internal webservers in
    > the primary network. I have been able to do one or the other, but not
    > both. Right now people can access both the WAN and private LAN. If I put
    > in restrictions I block all access, both private network as well as
    > internet.
    >
    > If I put in the following config it does not work:
    > access-list 101 permit tcp 192.168.1.0 255.255.255.0 host
    > 192.168.111.4 eq www
    > access-list 101 deny ip any 192.168.1.0 255.255.255.0
    > 192.168.111.0 255.255.255.0
    >
    > This just give me an error when I try to enter (syntax). I was able to
    > put in an ACL that did block all 192.168.111.0 network, but the problem
    > with this is then I can not access the gateway.
    >
    > Here is a basic outline of the networks in order
    > T1
    > PIX506 1 -Network 1 (Private) 63.xxx.xxx.x > 192.168.111.0/24
    > PIX506 2 -Network 2 (Public) 192.168.111.30 > 192.168.1.0/24
    > (Need to access webserver 192.168.111.3 but NOTHING else)
    >
    > Here is the current config:
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > domain-name cpi.local.com
    > names
    > icmp permit any outside
    > icmp permit any inside
    > ip address outside 192.168.111.30 255.255.255.0
    > ip address inside 192.168.1.1 255.255.255.0
    > global (outside) 1 192.168.111.40
    > nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    > static (inside,outside) 192.168.111.31 192.168.1.2 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 192.168.111.32 192.168.1.3 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 192.168.111.33 192.168.1.4 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 192.168.111.34 192.168.1.5 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 192.168.111.35 192.168.1.6 netmask
    > 255.255.255.255 0 0
    > route outside 0.0.0.0 0.0.0.0 PIX506 1
    > dhcpd dns 209.150.200.10 64.65.128.6
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd domain cpi.local2.com
    > dhcpd enable inside


    Hi Sam,

    I can see you're going to have issues here just by looking at the
    frist ACE for your 101 ACL: You're masks are back the front. Take a
    look at the following:
    http://www.cisco.com/en/US/products...oducts_tech_note09186a00800a5b9a.shtml#topic2

    Basically, a mask in an access list does not define a subnet in the
    same way a mask defines a subnet in IP configuration. Rather, a mask
    in an access list defines a host. IN your access lists;

    > access-list 101 permit tcp 192.168.1.0 255.255.255.0 host
    > 192.168.111.4 eq www
    > access-list 101 deny ip any 192.168.1.0 255.255.255.0
    > 192.168.111.0 255.255.255.0


    Your masks of 255.255.255.0 should acutally ready 0.0.0.255. In
    effect, with you config, you are saying all hosts matching X.X.X.0 are
    permitted/denied. With the mask I've listed you would be saying all
    hosts matching 192.168.1.X are permitted/denied.

    Check out the link, revise your config and see how you go.

    Cheers
    Scotty C.
    ScottyC, Jun 14, 2007
    #2
    1. Advertising

  3. Sam

    Scott Perry Guest

    This is incorrect:

    > Your masks of 255.255.255.0 should acutally ready 0.0.0.255. In
    > effect, with you config, you are saying all hosts matching X.X.X.0 are
    > permitted/denied. With the mask I've listed you would be saying all
    > hosts matching 192.168.1.X are permitted/denied.


    The docuementation where this was cited was helpful but it is written for
    the Cisco IOS firewall, not the PIX. The PIX uses subnet masks instead of
    wildcard masks in its access-lists. No big deal - we all learn by some
    means or another. At least you didn't apply the access-list on the PIX with
    a wildcard mask in a production system like I once did. :)

    Please use this documentation for the PIX instead:
    http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

    access-list inbound permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.1 eq
    80

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    Scott Perry, Jun 14, 2007
    #3
  4. Sam

    maco

    Joined:
    Jun 13, 2007
    Messages:
    10
    Well Sam, you have a long road to go....

    PIX by default blocks all Inbound traffic and allows all Outbound traffic.
    In phylosophy of PIX:
    Inbound = lower security level to higher security level
    Outbound = higher security level to lower security level

    If you want to have Outbound access you do not need to do anything, until you want to reach a Public network (Internet) with a Private network (RFC 1918 netowrks).

    For the Private networks to work you need NAT.

    Example:
    Private network: 192.168.1.0/24
    Public network (your Public ip range): 64.62.64.0/24

    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 interface (if you want to make PAT on the IP of your outside interface)

    or

    for range
    global (outside) 1 64.62.64.1-64.62.64.254 netmask 255.255.255.0

    or

    for PAT
    global (outside) 1 64.62.64.253


    This simple set up allows your internal network to access Internet.

    If you want to allow Inbound access to your web server you need this static and ACL.

    Example:
    web server Private IP: 192.168.1.11
    web server Public IP: 64.62.64.11

    access-list inbound permit tcp any host 64.62.64.11 eq www

    access-group inbound in interface outside (applies the access-list on interface!!!)

    static (inside,outside) 64.62.64.11 192.168.1.11 netmask 255.255.255.255


    nothing more, nothing less, simple and clear

    ---------

    What i see wrong on this:
    access-list 101 permit tcp 192.168.1.0 255.255.255.0 host
    192.168.111.4 eq www
    access-list 101 deny ip any 192.168.1.0 255.255.255.0
    192.168.111.0 255.255.255.0

    what you wanted to do with that ACL?
    Last edited: Jun 14, 2007
    maco, Jun 14, 2007
    #4
  5. Sam

    ScottyC Guest

    On 14 Jun, 14:06, "Scott Perry" <scottperry@aciscocompany> wrote:
    > This is incorrect:
    >
    > > Your masks of 255.255.255.0 should acutally ready 0.0.0.255. In
    > > effect, with you config, you are saying all hosts matching X.X.X.0 are
    > > permitted/denied. With the mask I've listed you would be saying all
    > > hosts matching 192.168.1.X are permitted/denied.

    >
    > The docuementation where this was cited was helpful but it is written for
    > the Cisco IOS firewall, not the PIX. The PIX uses subnet masks instead of
    > wildcard masks in its access-lists. No big deal - we all learn by some
    > means or another. At least you didn't apply the access-list on the PIX with
    > a wildcard mask in a production system like I once did. :)
    >
    > Please use this documentation for the PIX instead:http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/...
    >
    > access-list inbound permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.1 eq
    > 80
    >
    > ===========
    > Scott Perry
    > ===========
    > Indianapolis, Indiana
    > ________________________________________


    Well there you go. I've learnt my something new for the day.

    Sam, I hope I didnt cause you to wwaste anytime on your issue!
    Apologies if I did.

    Thanks Perry.
    ScottyC, Jun 15, 2007
    #5
  6. Sam

    Sam Guest

    ScottyC wrote:
    > On 14 Jun, 14:06, "Scott Perry" <scottperry@aciscocompany> wrote:
    >> This is incorrect:
    >>
    >>> Your masks of 255.255.255.0 should acutally ready 0.0.0.255. In
    >>> effect, with you config, you are saying all hosts matching X.X.X.0 are
    >>> permitted/denied. With the mask I've listed you would be saying all
    >>> hosts matching 192.168.1.X are permitted/denied.

    >> The docuementation where this was cited was helpful but it is written for
    >> the Cisco IOS firewall, not the PIX. The PIX uses subnet masks instead of
    >> wildcard masks in its access-lists. No big deal - we all learn by some
    >> means or another. At least you didn't apply the access-list on the PIX with
    >> a wildcard mask in a production system like I once did. :)
    >>
    >> Please use this documentation for the PIX instead:http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/...
    >>
    >> access-list inbound permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.1 eq
    >> 80
    >>
    >> ===========
    >> Scott Perry
    >> ===========
    >> Indianapolis, Indiana
    >> ________________________________________

    >
    > Well there you go. I've learnt my something new for the day.
    >
    > Sam, I hope I didnt cause you to wwaste anytime on your issue!
    > Apologies if I did.
    >
    > Thanks Perry.
    >

    Here is my problem, if I deny the 192.168.2.0 network, then I will not
    be able to access this PIX's gateway (192.168.2.1). So how do I ACL for
    the inside to access the 192.168.2.1 gateway, while denying access to
    all other IPs on this network. I have been to date given tons of example
    ACLs, and either I get zero access, or it is fully open. Meaning I can
    not access the 2.0 network, but also can not access the internet, or I
    can access the internet, while also able to access the LAN. It seems to
    be either/or.

    names
    name 192.168.2.1 EFW
    access-list 101 permit tcp 192.168.3.0 255.255.255.0 host EFW
    access-list 101 deny tcp 192.168.3.0 255.255.255.0 192.168.2.0
    255.255.255.0

    This is what I have no, and at least I can access the internet, but I
    can also access servers on the primary network, which is what I am
    trying to shut off.

    Now I am getting a bit confused on the netmasks, but I do not believe
    this could be what is holding me back could it?

    T1
    PIX506 (1) (63.xx.xx.xxx - 192.168.2.1) Primary business LAN
    PIX506 (2) (192.168.2.30 - 192.168.3.1) Wireless Network

    Now what bothers me is that with no ACL, I can access the internet, as
    well as the internal 2.0 network. I have tried several different
    variations of denying wireless clients access to the 2.0 network, and
    nothing works.

    Am I incorrect to assume that the PIX can do what I want it to?
    Sam, Jul 1, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. meinereiner

    Port Routing on Pix506?

    meinereiner, Nov 3, 2004, in forum: Cisco
    Replies:
    3
    Views:
    420
    Walter Roberson
    Nov 4, 2004
  2. Jozsef

    PIX506 DNS SMTP

    Jozsef, Mar 10, 2005, in forum: Cisco
    Replies:
    2
    Views:
    515
    Jozsef
    Mar 11, 2005
  3. Vincent
    Replies:
    0
    Views:
    2,093
    Vincent
    Apr 5, 2005
  4. Exclusive

    Port 443 problem on PIX506

    Exclusive, May 2, 2006, in forum: Cisco
    Replies:
    9
    Views:
    1,126
    Walter Roberson
    May 5, 2006
  5. Replies:
    4
    Views:
    620
Loading...

Share This Page