1. Home
  2. Cisco Systems
  3. Pix 515 VLAN NAT0 issues

Pix 515 VLAN NAT0 issues

I am having problems with my Pix, it goes offline for a short perior, plus get bad ftp performance with it. I have 6 interfaces outside, and

5 vlan interfaces on the inside, I have all the NAT's built. Not sure if there is something I am doing incorrect. I have 4 more PIX's and am probably going to upgrade to 7.0 but will have to relearn the pix in the new commands.

Any help would be greatly appreciated

My firewall config is as follows:

dimepix1> en Password: ****** dimepix1# show run : Saved : PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface ethernet1 vlan35 physical interface ethernet1 vlan20 logical interface ethernet1 vlan21 logical interface ethernet1 vlan22 logical interface ethernet1 vlan23 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan20 priv security96 nameif vlan21 reggie security99 nameif vlan22 net3 security98 nameif vlan23 net4 security97 hostname dimepix1 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit ip 72.29.91.64 255.255.255.240 any access-list 101 permit ip 72.29.91.80 255.255.255.240 any access-list 101 permit ip 72.29.91.96 255.255.255.240 any access-list 101 permit ip 72.29.91.112 255.255.255.248 any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 72.29.91.125 255.255.255.248 no ip address inside ip address priv 72.29.91.65 255.255.255.240 ip address reggie 72.29.91.81 255.255.255.240 ip address net3 72.29.91.97 255.255.255.240 ip address net4 72.29.91.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address priv no failover ip address reggie no failover ip address net3 no failover ip address net4 pdm history enable arp timeout 14400 nat (inside) 0 72.29.91.64 255.255.255.240 0 0 nat (reggie) 0 72.29.91.80 255.255.255.240 0 0 nat (net3) 0 72.29.91.96 255.255.255.240 0 0 nat (net4) 0 72.29.91.112 255.255.255.248 0 0 static (reggie,outside) 72.29.91.84 72.29.91.84 netmask 255.255.255.255

0 0 static (reggie,outside) 72.29.91.83 72.29.91.83 netmask 255.255.255.255 0 0 static (reggie,outside) 72.29.91.82 72.29.91.82 netmask 255.255.255.255 0 0 static (reggie,outside) 72.29.91.85 72.29.91.85 netmask 255.255.255.255 0 0 static (reggie,outside) 72.29.91.86 72.29.91.86 netmask 255.255.255.255 0 0 static (reggie,outside) 72.29.91.87 72.29.91.87 netmask 255.255.255.255 0 0 static (reggie,outside) 72.29.91.88 72.29.91.88 netmask 255.255.255.255 0 0 static (reggie,outside) 72.29.91.89 72.29.91.89 netmask 255.255.255.255 0 0 static (reggie,outside) 72.29.91.94 72.29.91.94 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.100 72.29.91.100 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.101 72.29.91.101 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.102 72.29.91.102 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.103 72.29.91.103 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.104 72.29.91.104 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.105 72.29.91.105 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.106 72.29.91.106 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.107 72.29.91.107 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.108 72.29.91.108 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.109 72.29.91.109 netmask 255.255.255.255 0 0 static (net3,outside) 72.29.91.110 72.29.91.110 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.67 72.29.91.67 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.68 72.29.91.68 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.69 72.29.91.69 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.70 72.29.91.70 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.71 72.29.91.71 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.72 72.29.91.72 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.73 72.29.91.73 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.74 72.29.91.74 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.75 72.29.91.75 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.76 72.29.91.76 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.77 72.29.91.77 netmask 255.255.255.255 0 0 static (priv,outside) 72.29.91.78 72.29.91.78 netmask 255.255.255.255 0 0 static (priv,net3) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0 0 static (net3,priv) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0 static (net3,priv) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0 static (net3,priv) 72.29.91.107 72.29.91.107 netmask 255.255.255.255 0 0 static (priv,reggie) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0 0 static (reggie,priv) 72.29.91.82 72.29.91.82 netmask 255.255.255.255 0 0 static (reggie,priv) 72.29.91.83 72.29.91.83 netmask 255.255.255.255 0 0 static (reggie,priv) 72.29.91.84 72.29.91.84 netmask 255.255.255.255 0 0 static (reggie,priv) 72.29.91.85 72.29.91.85 netmask 255.255.255.255 0 0 static (reggie,priv) 72.29.91.86 72.29.91.86 netmask 255.255.255.255 0 0 static (reggie,net3) 72.29.91.83 72.29.91.83 netmask 255.255.255.255 0 0 static (net4,outside) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0 0 static (net4,outside) 72.29.91.115 72.29.91.115 netmask 255.255.255.255 0 0 static (net4,outside) 72.29.91.116 72.29.91.116 netmask 255.255.255.255 0 0 static (net4,outside) 72.29.91.117 72.29.91.117 netmask 255.255.255.255 0 0 static (net4,outside) 72.29.91.118 72.29.91.118 netmask 255.255.255.255 0 0 static (net4,priv) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0 0 static (net4,reggie) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0 0 static (net4,net3) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0 0 static (net3,reggie) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0 static (net3,net4) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0 static (net3,reggie) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0 static (net3,net4) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 72.29.91.84 eq www any conduit permit tcp host 72.29.91.84 eq https any conduit permit tcp host 72.29.91.84 eq 3389 any conduit permit tcp host 72.29.91.84 eq ftp any conduit permit tcp host 72.29.91.82 eq domain any conduit permit udp host 72.29.91.82 eq domain any conduit permit tcp host 72.29.91.82 eq ftp any conduit permit tcp host 72.29.91.82 eq www any conduit permit tcp host 72.29.91.82 eq https any conduit permit tcp host 72.29.91.82 eq 3389 any conduit permit tcp host 72.29.91.83 eq domain any conduit permit udp host 72.29.91.83 eq domain any conduit permit tcp host 72.29.91.83 eq pop3 any conduit permit tcp host 72.29.91.83 eq 3389 any conduit permit tcp host 72.29.91.83 eq ftp any conduit permit tcp host 72.29.91.83 eq smtp any conduit permit tcp host 72.29.91.85 eq www any conduit permit tcp host 72.29.91.85 eq ftp any conduit permit tcp host 72.29.91.85 eq https any conduit permit tcp host 72.29.91.85 eq 3389 any conduit permit tcp host 72.29.91.85 eq 7099 any conduit permit tcp host 72.29.91.83 eq www any conduit permit tcp host 72.29.91.83 eq imap4 any conduit permit tcp host 72.29.91.86 eq www any conduit permit tcp host 72.29.91.86 eq https any conduit permit tcp host 72.29.91.87 eq https any conduit permit tcp host 72.29.91.87 eq www any conduit permit tcp host 72.29.91.88 eq www any conduit permit tcp host 72.29.91.88 eq https any conduit permit tcp host 72.29.91.89 eq https any conduit permit tcp host 72.29.91.89 eq www any conduit permit tcp host 72.29.91.66 eq https any conduit permit tcp host 72.29.91.66 eq www any conduit permit tcp host 72.29.91.66 eq pop3 any conduit permit tcp host 72.29.91.66 eq imap4 any conduit permit tcp host 72.29.91.66 eq 3389 any conduit permit tcp host 72.29.91.66 eq smtp any conduit permit tcp host 72.29.91.66 eq 81 any conduit permit tcp host 72.29.91.67 eq www any conduit permit tcp host 72.29.91.67 eq https any conduit permit tcp host 72.29.91.68 eq https any conduit permit tcp host 72.29.91.68 eq www any conduit permit tcp host 72.29.91.69 eq www any conduit permit tcp host 72.29.91.69 eq https any conduit permit tcp host 72.29.91.69 eq 3389 any conduit permit tcp host 72.29.91.69 eq ftp any conduit permit tcp host 72.29.91.66 eq ftp any conduit permit tcp host 72.29.91.70 eq ftp any conduit permit tcp host 72.29.91.70 eq www any conduit permit tcp host 72.29.91.70 eq https any conduit permit tcp host 72.29.91.71 eq www any conduit permit tcp host 72.29.91.73 eq www any conduit permit tcp host 72.29.91.73 eq domain any conduit permit udp host 72.29.91.73 eq domain any conduit permit tcp host 72.29.91.73 eq https any conduit permit tcp host 72.29.91.76 eq domain any conduit permit udp host 72.29.91.76 eq domain any conduit permit tcp host 72.29.91.76 eq smtp any conduit permit tcp host 72.29.91.77 eq www any conduit permit tcp host 72.29.91.77 eq https any conduit permit tcp host 72.29.91.78 eq www any conduit permit tcp host 72.29.91.78 eq https any conduit permit tcp host 72.29.91.98 eq domain any conduit permit udp host 72.29.91.98 eq domain any conduit permit tcp host 72.29.91.98 eq www any conduit permit tcp host 72.29.91.99 eq domain any conduit permit udp host 72.29.91.99 eq domain any conduit permit tcp host 72.29.91.99 eq www any conduit permit tcp host 72.29.91.99 eq smtp any conduit permit tcp host 72.29.91.99 eq imap4 any conduit permit tcp host 72.29.91.99 eq pop3 any conduit permit tcp host 72.29.91.107 eq www any conduit permit tcp host 72.29.91.107 eq ftp any conduit permit tcp host 72.29.91.107 eq 3389 any conduit permit tcp host 72.29.91.108 eq 3389 any conduit permit tcp host 72.29.91.108 eq ftp any conduit permit tcp host 72.29.91.108 eq www any conduit permit tcp host 72.29.91.109 eq www any conduit permit tcp host 72.29.91.109 eq ftp any conduit permit tcp host 72.29.91.109 eq 3389 any conduit permit tcp host 72.29.91.74 eq www any conduit permit tcp host 72.29.91.114 eq ssh any conduit permit tcp host 72.29.91.114 eq smtp any conduit permit tcp host 72.29.91.114 eq pop3 any conduit permit tcp host 72.29.91.114 eq imap4 any conduit permit tcp host 72.29.91.114 eq domain any conduit permit udp host 72.29.91.114 eq domain any conduit permit tcp host 72.29.91.114 eq www any conduit permit tcp host 72.29.91.114 eq https any conduit permit tcp host 72.29.91.114 eq ftp-data any conduit permit tcp host 72.29.91.114 eq ftp any conduit permit tcp host 72.29.91.114 eq 993 any conduit permit tcp host 72.29.91.114 eq 995 any conduit permit tcp host 72.29.91.115 eq ssh any conduit permit tcp host 72.29.91.115 eq smtp any conduit permit tcp host 72.29.91.115 eq pop3 any conduit permit tcp host 72.29.91.115 eq imap4 any conduit permit tcp host 72.29.91.115 eq domain any conduit permit udp host 72.29.91.115 eq domain any conduit permit tcp host 72.29.91.115 eq www any conduit permit tcp host 72.29.91.115 eq https any conduit permit tcp host 72.29.91.115 eq ftp-data any conduit permit tcp host 72.29.91.115 eq ftp any conduit permit tcp host 72.29.91.115 eq 993 any conduit permit tcp host 72.29.91.115 eq 995 any conduit permit tcp host 72.29.91.103 eq www any conduit permit tcp host 72.29.91.104 eq www any conduit permit tcp host 72.29.91.105 eq www any conduit deny ip any any outbound 1 permit 0.0.0.0 0.0.0.0 0 ip apply (inside) 1 outgoing_src apply (reggie) 1 outgoing_src apply (net3) 1 outgoing_src apply (net4) 1 outgoing_src route outside 0.0.0.0 0.0.0.0 72.29.91.126 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:3d0e96df8a545fcb3aa924794e17f3a1
Reply to
tartar813
Loading thread data ...

I am having problems with my Pix, it goes offline for a short perior, plus get bad ftp performance with it. I have 6 interfaces outside, and

5 vlan interfaces on the inside, I have all the NAT's built. Not sure if there is something I am doing incorrect.

==========

Have you taken a look at the following?

formatting link
set your logging to debug level and try your ftp, just to see if it tells you anything interesting.

Reply to
Kevin Widner

Would that also cause me to not be able to ping my outside interface and any ip addresses behind the firewall?

I have another server on the outside firewall on the sameswitch, it never goes down.

Do you see any problems with my config? The statics going between the different interfaces?

Thanks

Reply to
tartar813

I do not see anything -obviously- wrong with your configuration; but see below.

You do not appear to be using that access-list.

As a matter of style, you may wish to replace most of the individual static's with an access list that specifies the hosts to be static'd, and then

nat (reggie) 0 access-list REGGIE_STATIC_ACL_NAME or static (reggie,outside) 72.29.91.80 access-list REGGIE_STATIC_ACL_NAME

The difference between the two is that the nat 0 access-list form does not do proxy ARP.

For the access-list REGGIE_STATIC_ACL_NAME instead of having a bunch of "permit ip host" entries, you could create an object-group of type network, list the hosts in there, and then have a single ACL line:

object-group network REGGIE_STATIC_HOSTS network-object host 72.29.91.82 network-object host 72.29.91.85 access-list REGGIE_STATIC_ACL_NAME permit ip object-group REGGIE_STATIC_HOSTS any

[many more conduit]

In any PIX version from 5.3(2) onwards, it saves time to assume that conduit and outbound and apply are broken beyond repair. Cisco started declining to fix conduit bugs about then, and although they had to rewrite a bunch of the conduit code for 6.2, bugs they created in the course of that rewrite will usually not be fixed. There are a number of conduit bugs in the Bug Navigator.

Cisco has been saying since early 5.2 that conduit is deprecated; it is not present at all in 7.0.

As there are conduit bugs that will not be fixed, I do not believe that it is productive to try to diagnose problems that might be related to conduit, especially in interactions with any feature introduced in 6.x.

If your policies and downtime availability permit, I would recommend running your configuration through Cisco's conduit conversion tool, having a careful look at the result to ensure that it will do what you want, and then put that into place.

Reply to
Walter Roberson

Where is the conduit conversion tool? I've tried to find it but cannot. I do have an extra pix here that I am trying to use some of your suggestions.

object-group network REGGIE_STATIC_HOSTS network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.84 network-object host 72.29.91.85 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS any nat (reggie) 0 access-list reggie_out_acl

Let me make sure I get it, This will not NAT all of the items going out from the REGGIE_STATIC_HOSTS network object group? Does this automatically setup the inbound translations also?

Thank you, I really appreciate this, I feel like an idiot since I've been using the conduits and stuff for so long.

Reply to
tartar813

Do I need?

access-group reggie_out_acl in interface reggie ?

Reply to
tartar813

This is basically what I have so far?

Not sure how to get things to come in? When you nat 0 an access list, does that automatically setup the inbound statics?

PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface ethernet1 vlan35 physical interface ethernet1 vlan20 logical interface ethernet1 vlan21 logical interface ethernet1 vlan22 logical interface ethernet1 vlan23 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan20 priv security96 nameif vlan21 reggie security99 nameif vlan22 net3 security98 nameif vlan23 net4 security97 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname dimepix1 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group network REGGIE_STATIC_HOSTS network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.84 network-object host 72.29.91.85 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 network-object host 72.29.91.89 network-object host 72.29.91.90 object-group network priv_hosts network-object host 72.29.91.66 network-object host 72.29.91.67 network-object host 72.29.91.68 network-object host 72.29.91.69 network-object host 72.29.91.70 network-object host 72.29.91.71 network-object host 72.29.91.72 network-object host 72.29.91.73 network-object host 72.29.91.74 network-object host 72.29.91.76 network-object host 72.29.91.75 network-object host 72.29.91.77 network-object host 72.29.91.78 access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS any access-list priv_out_acl permit ip object-group priv_hosts any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 72.29.91.125 255.255.255.248 no ip address inside ip address priv 72.29.91.65 255.255.255.240 ip address reggie 72.29.91.81 255.255.255.240 ip address net3 72.29.91.97 255.255.255.240 ip address net4 72.29.91.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address priv no failover ip address reggie no failover ip address net3 no failover ip address net4 pdm history enable arp timeout 14400 nat (priv) 0 access-list priv_out_acl nat (reggie) 0 access-list reggie_out_acl access-group priv_out_acl in interface priv access-group reggie_out_acl in interface reggie timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:d41d8cd98f00b204e980
Reply to
tartar813

formatting link
log in to your account, then scroll down the list until you find occ-121 about 2/3 of the way down.

Right. Anything sourced "within" the reggie segment that matches that ACL will be exempt from NAT.

Supressing some unimportant semantic quibbles, Yes, exactly. Any connection heading into a lower-security interface that matches the "reverse" of the ACL (i.e, exchange source and destination fields) will be permitted inward, provided that the access-group on that lower interface permits that flow. It -is- a form of "static" for that purpose.

There is, though, the side effect that proxy arp will not be enabled for the IPs (not unless there is a regular static for that IP), so your WAN router will have to route those IPs to the outside IP of the PIX. This is usually not a problem unless you happen to have real hosts on the outside segment.

Even the TAC ends up scratching their head over bidirectional policy NAT. Some stuff just isn't well documented.

Some ACL and translation fundamentals:

Each ACL should be written in terms of the IPs that would be in the packet at the time the PIX receives the packet. e.g., an ACL applied to an inside interface would have the internal IPs as the source and the outside IPs *as known to the inside* as the destinations.

Translation takes place -after- the interface controls have decided to accept the packet, based upon the ACL applied to the interface (or upon the default flow rules if there is no ACL.) But that's the rule for when the translation is actually performed: before the ACL is even looked at, the PIX checks to see that there a translation exists. Thus if a new connection attempt hits your outside interface and is addressed to a public IP that you do not have a "static" or "nat 0 access-list" for, then the packet will be dropped with a log entry about "no translation group" and only if there is a translation can you go on to "denied by access-list". {It wasn't that way before 6.2, and they might have modified this by now, as I griped about this.} The modification of packet content happens after the packet has been accepted as having a translation and satisfying the security policies.

The default rules, if you have no ACL applied to an interface, are that traffic to lower-security is allowed and to higher security is not allowed. If you do have an ACL, then that rule does not apply at all, and instead the rule becomes "anything which is not permitted by the ACL is not allowed."

An important difference you will hit is that "conduit" applies to all interfaces, but the access-group command applies an ACL only to one interface. So before if you had a conduit that permitted traffic to something in your highest security zone, then you will need an ACL for each of the lower security zones if you want them to be able to reach that higher security zone.

Only one ACL is permitted "in" per interface. PIX 7.x adds ACLs "out" an interface, and modifies to "one per direction".

Never try to use the same ACL for two purposes. If you have two controls mention the same ACL name/number then you will likely have odd problems.

Translation to lower security interfaces normally changes the source IP, and translation to higher security interfaces normally changes the destination IP. [PIX 6.2 and later allow changing this.]

An ACL applied to an interface should refer to the private IP of a host on a lower security security interface, but to the public IP of a host on a higher security interface. Of course if you have used nat 0 access-list or static'd IPs to themselves between a pair of interfaces, then the public and private IP would be the same for that transaction.

Only one "nat 0 access-list" is permitted per interface, and it applies to traffic going to lower security interfaces. Indefinite numbers of "nat 0" (without access-list) are permitted per interface, and again apply to towards all lower security interfaces. "static" and all other "nat" commands work between pairs of interfaces, so the IP of an inside host as known to dmz1 could be different than the IP of the same host as known to dmz2.

Access-lists mentioned in crypto map (VPN) "match address" clauses should be written from the perspective of packets going out the interface that the crypto map is applied to. But unlike the other cases, the "match address" ACLs must be written in terms of what would be in the packet *after* translation (towards the outside). For incoming VPN packets, the "match address" ACL will automatically be read "in reverse" [like for the nat 0 access-list case], and the addresses used to check will be the ones after decapsulation but before any translation.

An incoming VPN packet will be decapsulated, and the inner packet first checked against the {implicitly reversed} appropriate "match address" ACL. After that, the inner packet will be checked against the ACL (or default policy) for the interface it was received on, -unless- "sysopt connection permit-ipsec" or similar has been turned on: If you use those commands, then all VPN packets that manage to make it to you will be permitted to go to any destination (except on the -same- interface) without any checking of access policies.

Similarily, an outgoing VPN packet will be checked first against the security policy of the interface it was received on, *unless* "sysopt connection permit-" is in effect and the packet would go out over the VPN -- those packets will go through even if the security policy says to block them. After the outgoing VPN packet is accepted by the interface, it undergoes translation, and the -translated- packet will be compared against the "match address" ACLs for dispatching.

Reply to
Walter Roberson

Current configuration, I am trying to use acl with access-lists, object-groups and access-groups, Not sure if I am doing this right?

PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface ethernet1 vlan35 physical interface ethernet1 vlan20 logical interface ethernet1 vlan21 logical interface ethernet1 vlan22 logical interface ethernet1 vlan23 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan20 priv security96 nameif vlan21 reggie security99 nameif vlan22 net3 security98 nameif vlan23 net4 security97 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname dimepix1 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group network REGGIE_STATIC_HOSTS network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.84 network-object host 72.29.91.85 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 network-object host 72.29.91.89 network-object host 72.29.91.90 object-group network priv_hosts network-object host 72.29.91.66 network-object host 72.29.91.67 network-object host 72.29.91.68 network-object host 72.29.91.69 network-object host 72.29.91.70 network-object host 72.29.91.71 network-object host 72.29.91.72 network-object host 72.29.91.73 network-object host 72.29.91.74 network-object host 72.29.91.76 network-object host 72.29.91.75 network-object host 72.29.91.77 network-object host 72.29.91.78 object-group network net3_hosts network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.100 network-object host 72.29.91.101 network-object host 72.29.91.102 network-object host 72.29.91.103 network-object host 72.29.91.104 network-object host 72.29.91.105 network-object host 72.29.91.106 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 network-object host 72.29.91.110 object-group network net4_hosts network-object host 72.29.91.114 network-object host 72.29.91.115 network-object host 72.29.91.116 network-object host 72.29.91.117 network-object host 72.29.91.118 object-group protocol webservices protocol-object tcp object-group service web_service tcp port-object eq ftp port-object eq www port-object eq https object-group service mail_service tcp description Allows mail services inbound port-object eq smtp port-object eq imap4 port-object eq pop3 object-group network webhosts network-object host 72.29.91.84 network-object host 72.29.91.82 network-object host 72.29.91.85 network-object host 72.29.91.83 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 network-object host 72.29.91.89 network-object host 72.29.91.66 network-object host 72.29.91.67 network-object host 72.29.91.68 network-object host 72.29.91.69 network-object host 72.29.91.70 network-object host 72.29.91.71 network-object host 72.29.91.72 network-object host 72.29.91.73 network-object host 72.29.91.77 network-object host 72.29.91.78 network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.100 network-object host 72.29.91.101 network-object host 72.29.91.102 network-object host 72.29.91.103 network-object host 72.29.91.104 network-object host 72.29.91.105 network-object host 72.29.91.106 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 network-object host 72.29.91.74 access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS any access-list priv_out_acl permit ip object-group priv_hosts any access-list net3_out_acl permit ip object-group net3_hosts any access-list net4_out_acl permit ip object-group net4_hosts any access-list web_in permit tcp object-group webhosts any object-group web_service pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 72.29.91.125 255.255.255.248 no ip address inside ip address priv 72.29.91.65 255.255.255.240 ip address reggie 72.29.91.81 255.255.255.240 ip address net3 72.29.91.97 255.255.255.240 ip address net4 72.29.91.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address priv no failover ip address reggie no failover ip address net3 no failover ip address net4 pdm history enable arp timeout 14400 nat (priv) 0 access-list priv_out_acl nat (reggie) 0 access-list reggie_out_acl nat (net3) 0 access-list net3_out_acl nat (net4) 0 access-list net4_out_acl access-group web_in in interface priv access-group web_in in interface reggie access-group web_in in interface net3 access-group web_in in interface net4 timeout xlate 3:00:00

Reply to
tartar813

access-list web_in permit tcp object-group webhosts any object-group web_service

With this, do I need to apply it to an interface? Or is it implied since I said any?

Reply to
tartar813

Think I got it, only one access-group per interface, so this is what I came up with.

any analysis would be greatly appreciated.

Thanks

: PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface ethernet1 vlan35 physical interface ethernet1 vlan20 logical interface ethernet1 vlan21 logical interface ethernet1 vlan22 logical interface ethernet1 vlan23 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan20 priv security96 nameif vlan21 reggie security99 nameif vlan22 net3 security98 nameif vlan23 net4 security97 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname dimepix1 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group network REGGIE_STATIC_HOSTS network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.84 network-object host 72.29.91.85 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 network-object host 72.29.91.89 network-object host 72.29.91.90 object-group network priv_hosts network-object host 72.29.91.66 network-object host 72.29.91.67 network-object host 72.29.91.68 network-object host 72.29.91.69 network-object host 72.29.91.70 network-object host 72.29.91.71 network-object host 72.29.91.72 network-object host 72.29.91.73 network-object host 72.29.91.74 network-object host 72.29.91.76 network-object host 72.29.91.75 network-object host 72.29.91.77 network-object host 72.29.91.78 object-group network net3_hosts network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.100 network-object host 72.29.91.101 network-object host 72.29.91.102 network-object host 72.29.91.103 network-object host 72.29.91.104 network-object host 72.29.91.105 network-object host 72.29.91.106 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 network-object host 72.29.91.110 object-group network net4_hosts network-object host 72.29.91.114 network-object host 72.29.91.115 network-object host 72.29.91.116 network-object host 72.29.91.117 network-object host 72.29.91.118 object-group protocol webservices protocol-object tcp object-group service web_service tcp port-object eq ftp port-object eq www port-object eq https object-group service mail_service tcp description Allows mail services inbound port-object eq smtp port-object eq imap4 port-object eq pop3 object-group network webhosts network-object host 72.29.91.84 network-object host 72.29.91.82 network-object host 72.29.91.85 network-object host 72.29.91.83 network-object host 72.29.91.86 network-object host 72.29.91.87 network-object host 72.29.91.88 network-object host 72.29.91.89 network-object host 72.29.91.66 network-object host 72.29.91.67 network-object host 72.29.91.68 network-object host 72.29.91.69 network-object host 72.29.91.70 network-object host 72.29.91.71 network-object host 72.29.91.72 network-object host 72.29.91.73 network-object host 72.29.91.77 network-object host 72.29.91.78 network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.100 network-object host 72.29.91.101 network-object host 72.29.91.102 network-object host 72.29.91.103 network-object host 72.29.91.104 network-object host 72.29.91.105 network-object host 72.29.91.106 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 network-object host 72.29.91.74 object-group network mailhosts network-object host 72.29.91.83 network-object host 72.29.91.66 network-object host 72.29.91.99 network-object host 72.29.91.114 network-object host 72.29.91.115 object-group network rdp_hosts network-object host 72.29.91.84 network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.85 network-object host 72.29.91.66 network-object host 72.29.91.69 network-object host 72.29.91.107 network-object host 72.29.91.108 network-object host 72.29.91.109 object-group network dnshosts network-object host 72.29.91.82 network-object host 72.29.91.83 network-object host 72.29.91.73 network-object host 72.29.91.76 network-object host 72.29.91.98 network-object host 72.29.91.99 network-object host 72.29.91.114 network-object host 72.29.91.115 access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS any access-list priv_out_acl permit ip object-group priv_hosts any access-list net3_out_acl permit ip object-group net3_hosts any access-list net4_out_acl permit ip object-group net4_hosts any access-list acl_in permit tcp object-group webhosts any object-group web_service access-list acl_in permit tcp object-group mailhosts any object-group mail_service access-list acl_in permit tcp object-group rdp_hosts any eq 3389 access-list acl_in permit tcp object-group dnshosts any eq domain access-list acl_in permit udp object-group dnshosts any eq domain access-list acl_in permit tcp host 72.29.91.83 any eq 7099 access-list acl_in permit tcp host 72.29.91.82 any eq 8888 access-list acl_in permit icmp any any access-list acl_in permit tcp host 72.29.91.66 any eq 81 access-list acl_in permit tcp host 72.29.91.66 any range 7000 7500 access-list acl_in permit tcp host 72.29.91.107 any range 7000 7500 access-list acl_in permit tcp host 72.29.91.114 any eq ssh access-list acl_in permit tcp host 72.29.91.114 any eq 993 access-list acl_in permit tcp host 72.29.91.114 any eq 995 access-list acl_in permit tcp host 72.29.91.76 any eq 9080 access-list acl_in permit tcp host 72.29.91.76 host 64.3.246.250 eq

1090 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 72.29.91.125 255.255.255.248 no ip address inside ip address priv 72.29.91.65 255.255.255.240 ip address reggie 72.29.91.81 255.255.255.240 ip address net3 72.29.91.97 255.255.255.240 ip address net4 72.29.91.113 255.255.255.248 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address priv no failover ip address reggie no failover ip address net3 no failover ip address net4 pdm history enable arp timeout 14400 nat (priv) 0 access-list priv_out_acl nat (reggie) 0 access-list reggie_out_acl nat (net3) 0 access-list net3_out_acl nat (net4) 0 access-list net4_out_acl access-group acl_in in interface outside access-group priv_out_acl in interface priv access-group reggie_out_acl in interface reggie access-group net3_out_acl in interface net3 access-group net4_out_acl in interface net4 route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
Reply to
tartar813

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.