PIX 515 - inside to outside needs access rules. Why?

Discussion in 'Cisco' started by Bill Adams, Sep 23, 2004.

  1. Bill Adams

    Bill Adams Guest

    On my PIX 515, I need an access rule to telnet/ftp/ssh from a device
    inside the PIX (security level 100) to a device outside (sec level 0).
    On my PIX 501, I don't need any rule going that direction.

    What did I do to my 515 that requires rules going from high security
    to low?



    Thanks in advance.

    Bill
     
    Bill Adams, Sep 23, 2004
    #1
    1. Advertisements

  2. :On my PIX 515, I need an access rule to telnet/ftp/ssh from a device
    :inside the PIX (security level 100) to a device outside (sec level 0).
    :On my PIX 501, I don't need any rule going that direction.

    :What did I do to my 515 that requires rules going from high security
    :to low?

    Hard to say, but we should ask whether you are running identical
    PIX OS versions on the two devices? Have you, for example, upgraded
    the 515 to 6.3(4) while the 501 is at 6.3(3) ?

    We'd need to see more of your 515 config to form better hypotheses.
     
    Walter Roberson, Sep 23, 2004
    #2
    1. Advertisements

  3. Bill Adams

    Bill Adams Guest

    Thanks Walter,

    They're both at version 6.3(3). The PIX 515 (config shown below) was
    largely set up using PIX PDM version 3. The 501 is minimally
    configured at command line with a little natting and no specific
    access lists.



    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 HIMS security4
    nameif ethernet3 intf3 security6
    nameif ethernet4 intf4 security8
    nameif ethernet5 intf5 security10
    enable password Jkj072wFZUs6JW6w encrypted
    passwd Jkj072wFZUs6JW6w encrypted
    hostname PIX3
    domain-name mydomain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.1.7.2 domino7
    name 172.17.102.22 f1n3a
    name 10.1.7.3 ciweb
    name 10.1.7.8 bod
    name 10.1.7.6 caregiver
    name 172.17.102.102 f1n4a
    name 172.17.101.101 is0w04
    name 172.17.58.89 is2w89
    name 172.17.58.58 cdh6000c
    name 172.17.1.0 net_adm
    name 172.17.74.15 is1w09
    name 172.17.58.175 is2w07
    name 172.17.192.63 is5w47
    name 172.17.100.3 cdh6000k
    name 172.17.102.60 is0w01
    name 172.17.100.50 cdh6000n
    name 172.17.0.0 net_172.17
    name 192.168.0.0 ISDN
    name 172.17.102.44 as08sql
    name 172.17.100.1 cdh6000e
    name 172.17.101.1 cdh6000d
    name 172.17.100.151 domino3
    name 172.17.100.102 as400
    name 172.17.196.11 ChartOne
    name 172.17.101.45 cdh6000o
    name 172.17.100.225 cdh6000i
    name 172.17.100.32 cdh6000a
    object-group service ftp tcp
    description port 21 & 20
    port-object eq ftp-data
    port-object eq ftp
    object-group service tsm tcp
    description Ports to backup and restore using TSM
    port-object range 1500 1503
    object-group service domino_replication tcp
    port-object eq lotusnotes
    access-list inside_outbound_nat0_acl permit ip any 10.1.7.0
    255.255.255.0
    access-list outside_inbound_nat0_acl permit ip 10.1.7.0 255.255.255.0
    any
    access-list inside_access_in remark Ebiz teams PC - caregiver ~~ ftp
    access-list inside_access_in permit tcp host is5w47 gt 1023 host
    caregiver object-group ftp log
    access-list inside_access_in permit tcp host is0w01 gt 1023 host ciweb
    object-group ftp log
    access-list inside_access_in permit tcp host is0w01 gt 1023 host
    caregiver object-group ftp log
    access-list inside_access_in permit tcp host cdh6000n gt 1023 host
    ciweb object-group domino_replication
    access-list inside_access_in permit tcp host domino3 gt 1023 host
    ciweb object-group domino_replication
    access-list inside_access_in permit tcp net_172.17 255.255.0.0 gt 1023
    host bod eq www log
    access-list inside_access_in permit tcp net_172.17 255.255.0.0 gt 1023
    host ciweb eq www log
    access-list inside_access_in permit tcp net_172.17 255.255.0.0 gt 1023
    host caregiver eq www log
    access-list inside_access_in permit tcp net_172.17 255.255.0.0 gt 1023
    host bod eq https log
    access-list inside_access_in permit tcp net_172.17 255.255.0.0 gt 1023
    host caregiver eq https log
    access-list inside_access_in permit tcp net_172.17 255.255.0.0 gt 1023
    host ciweb eq https log
    access-list inside_access_in permit tcp net_172.17 255.255.0.0 host
    ciweb eq ssh log
    access-list inside_access_in permit tcp ISDN 255.255.0.0 host ciweb eq
    ssh log
    access-list inside_access_in permit tcp ISDN 255.255.0.0 gt 1023 host
    bod eq www log
    access-list inside_access_in permit tcp ISDN 255.255.0.0 gt 1023 host
    caregiver eq www log
    access-list inside_access_in permit tcp ISDN 255.255.0.0 gt 1023 host
    ciweb eq www log
    access-list inside_access_in permit tcp ISDN 255.255.0.0 gt 1023 host
    bod eq https log
    access-list inside_access_in permit tcp ISDN 255.255.0.0 gt 1023 host
    caregiver eq https log
    access-list inside_access_in permit tcp ISDN 255.255.0.0 gt 1023 host
    ciweb eq https log
    access-list inside_access_in permit tcp host as400 gt 1023 host
    ChartOne object-group ftp
    access-list inside_access_in permit ip host cdh6000o host ciweb
    access-list inside_access_in permit tcp host cdh6000i host ciweb
    access-list outside_access_in permit tcp host ciweb gt 1023 host
    cdh6000n eq lotusnotes log
    access-list outside_access_in permit tcp host ciweb gt 1023 host
    domino3 eq lotusnotes log
    access-list outside_access_in permit tcp host ciweb gt 1023 host
    cdh6000k object-group tsm
    access-list outside_access_in permit udp host ciweb gt 1023 host
    cdh6000e eq domain log
    access-list outside_access_in permit udp host ciweb gt 1023 host
    cdh6000d eq domain log
    access-list outside_access_in permit tcp host ciweb host as08sql log
    access-list outside_access_in permit ip host ciweb host cdh6000o
    access-list outside_access_in permit tcp host ciweb host cdh6000i log
    access-list outside_access_in permit tcp host ciweb host cdh6000a
    access-list HIMS_access_in deny ip 172.17.196.0 255.255.255.0 10.1.7.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging trap informational
    logging facility 23
    logging host inside cdh6000c
    mtu outside 1500
    mtu inside 1500
    mtu HIMS 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    ip address outside 10.1.7.10 255.255.255.0
    ip address inside 172.17.102.23 255.255.255.0
    ip address HIMS 172.17.196.254 255.255.255.0
    no ip address intf3
    no ip address intf4
    no ip address intf5
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address HIMS
    no failover ip address intf3
    no failover ip address intf4
    no failover ip address intf5
    pdm location is2w89 255.255.255.255 inside
    pdm location is1w09 255.255.255.255 inside
    pdm location net_172.17 255.255.0.0 inside
    pdm location net_adm 255.255.255.0 inside
    pdm location is2w07 255.255.255.255 inside
    pdm location is0w04 255.255.255.255 inside
    pdm location 192.168.27.0 255.255.255.0 inside
    pdm location domino7 255.255.255.255 outside
    pdm location f1n3a 255.255.255.255 inside
    pdm location cdh6000c 255.255.255.255 inside
    pdm location ciweb 255.255.255.255 outside
    pdm location caregiver 255.255.255.255 outside
    pdm location bod 255.255.255.255 outside
    pdm location f1n4a 255.255.255.255 inside
    pdm location is5w47 255.255.255.255 inside
    pdm location cdh6000k 255.255.255.255 inside
    pdm location is0w01 255.255.255.255 inside
    pdm location cdh6000n 255.255.255.255 inside
    pdm location ISDN 255.255.0.0 inside
    pdm location as08sql 255.255.255.255 inside
    pdm location cdh6000e 255.255.255.255 inside
    pdm location cdh6000d 255.255.255.255 inside
    pdm location domino3 255.255.255.255 inside
    pdm location as400 255.255.255.255 inside
    pdm location ChartOne 255.255.255.255 HIMS
    pdm location cdh6000o 255.255.255.255 inside
    pdm location cdh6000i 255.255.255.255 inside
    pdm location cdh6000a 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    nat (outside) 0 access-list outside_inbound_nat0_acl outside
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) f1n3a f1n3a netmask 255.255.255.255 0 0
    static (inside,outside) f1n4a f1n4a netmask 255.255.255.255 0 0
    static (inside,outside) is5w47 is5w47 netmask 255.255.255.255 0 0
    static (inside,outside) cdh6000k cdh6000k netmask 255.255.255.255 0 0
    static (inside,outside) is0w01 is0w01 netmask 255.255.255.255 0 0
    static (inside,outside) cdh6000n cdh6000n netmask 255.255.255.255 0 0
    static (inside,outside) ISDN ISDN netmask 255.255.0.0 0 0
    static (inside,outside) as08sql as08sql netmask 255.255.255.255 0 0
    static (inside,outside) cdh6000e cdh6000e netmask 255.255.255.255 0 0
    static (inside,outside) cdh6000d cdh6000d netmask 255.255.255.255 0 0
    static (inside,outside) domino3 domino3 netmask 255.255.255.255 0 0
    static (inside,HIMS) as400 as400 netmask 255.255.255.255 0 0
    static (inside,outside) as400 as400 netmask 255.255.255.255 0 0
    static (HIMS,outside) ChartOne ChartOne netmask 255.255.255.255 0 0
    static (inside,HIMS) cdh6000o cdh6000o netmask 255.255.255.255 0 0
    static (inside,outside) cdh6000o cdh6000o netmask 255.255.255.255 0 0
    static (inside,outside) cdh6000i cdh6000i netmask 255.255.255.255 0 0
    static (inside,outside) cdh6000a cdh6000a netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group HIMS_access_in in interface HIMS
    route inside net_172.17 255.255.0.0 172.17.102.254 1
    route inside ISDN 255.255.0.0 172.17.102.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http is2w89 255.255.255.255 inside
    http is1w09 255.255.255.255 inside
    http is2w07 255.255.255.255 inside
    http is0w04 255.255.255.255 inside
    http 192.168.27.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet net_adm 255.255.255.0 inside
    telnet is1w09 255.255.255.255 inside
    telnet is2w07 255.255.255.255 inside
    telnet timeout 5
    ssh is2w07 255.255.255.255 inside
    ssh cdh6000a 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:0e5c68882ca29b838e1c918bb6c5850f
    : end
     
    Bill Adams, Sep 24, 2004
    #3
  4. Bill Adams

    admin too Guest

    It is my understanding the security levels only apply until you add a rule.
    Perhaps that is oversimplifying. I know when I use PDM and delete all the
    rules for source Inside you'll see a default rule appear allowing all
    traffic to the lower security levels. But as soon as you add one rule that
    default rule goes away and a default-deny-all is turned on.
     
    admin too, Sep 24, 2004
    #4
  5. you have added a ACL on the inside interface.
    This means that ALL traffic that you need passed, must have a match in that
    ACL.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Sep 25, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.