1. Home
  2. Cisco Systems
  3. PIX506 - ACL Help

PIX506 - ACL Help

I am adding an internal firewall to separate two networks, one public and one private. What I need is people on the public network to access a webserver while at the same time blocking all other traffic so nobody can access the private domain. Generally the public will need internet access (not a problem) but occasionally access internal webservers in the primary network. I have been able to do one or the other, but not both. Right now people can access both the WAN and private LAN. If I put in restrictions I block all access, both private network as well as internet.

If I put in the following config it does not work: access-list 101 permit tcp 192.168.1.0 255.255.255.0 host

192.168.111.4 eq www access-list 101 deny ip any 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0

This just give me an error when I try to enter (syntax). I was able to put in an ACL that did block all 192.168.111.0 network, but the problem with this is then I can not access the gateway.

Here is a basic outline of the networks in order T1 PIX506 1 -Network 1 (Private) 63.xxx.xxx.x > 192.168.111.0/24 PIX506 2 -Network 2 (Public) 192.168.111.30 > 192.168.1.0/24 (Need to access webserver 192.168.111.3 but NOTHING else)

Here is the current config: PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 domain-name cpi.local.com names icmp permit any outside icmp permit any inside ip address outside 192.168.111.30 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 192.168.111.40 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) 192.168.111.31 192.168.1.2 netmask

255.255.255.255 0 0 static (inside,outside) 192.168.111.32 192.168.1.3 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.111.33 192.168.1.4 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.111.34 192.168.1.5 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.111.35 192.168.1.6 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 PIX506 1 dhcpd dns 209.150.200.10 64.65.128.6 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain cpi.local2.com dhcpd enable inside
Reply to
Sam
Loading thread data ...

Hi Sam,

I can see you're going to have issues here just by looking at the frist ACE for your 101 ACL: You're masks are back the front. Take a look at the following:

formatting link
Basically, a mask in an access list does not define a subnet in the same way a mask defines a subnet in IP configuration. Rather, a mask in an access list defines a host. IN your access lists;

Your masks of 255.255.255.0 should acutally ready 0.0.0.255. In effect, with you config, you are saying all hosts matching X.X.X.0 are permitted/denied. With the mask I've listed you would be saying all hosts matching 192.168.1.X are permitted/denied.

Check out the link, revise your config and see how you go.

Cheers Scotty C.

Reply to
ScottyC

This is incorrect:

The docuementation where this was cited was helpful but it is written for the Cisco IOS firewall, not the PIX. The PIX uses subnet masks instead of wildcard masks in its access-lists. No big deal - we all learn by some means or another. At least you didn't apply the access-list on the PIX with a wildcard mask in a production system like I once did. :-)

Please use this documentation for the PIX instead:

formatting link
access-list inbound permit tcp 192.168.1.0 255.255.255.0 host 172.16.1.1 eq

80

=========== Scott Perry =========== Indianapolis, Indiana ________________________________________

Reply to
Scott Perry

instead:

formatting link

Well there you go. I've learnt my something new for the day.

Sam, I hope I didnt cause you to wwaste anytime on your issue! Apologies if I did.

Thanks Perry.

Reply to
ScottyC

instead:

formatting link
>

Here is my problem, if I deny the 192.168.2.0 network, then I will not be able to access this PIX's gateway (192.168.2.1). So how do I ACL for the inside to access the 192.168.2.1 gateway, while denying access to all other IPs on this network. I have been to date given tons of example ACLs, and either I get zero access, or it is fully open. Meaning I can not access the 2.0 network, but also can not access the internet, or I can access the internet, while also able to access the LAN. It seems to be either/or.

names name 192.168.2.1 EFW access-list 101 permit tcp 192.168.3.0 255.255.255.0 host EFW access-list 101 deny tcp 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

This is what I have no, and at least I can access the internet, but I can also access servers on the primary network, which is what I am trying to shut off.

Now I am getting a bit confused on the netmasks, but I do not believe this could be what is holding me back could it?

T1 PIX506 (1) (63.xx.xx.xxx - 192.168.2.1) Primary business LAN PIX506 (2) (192.168.2.30 - 192.168.3.1) Wireless Network

Now what bothers me is that with no ACL, I can access the internet, as well as the internal 2.0 network. I have tried several different variations of denying wireless clients access to the 2.0 network, and nothing works.

Am I incorrect to assume that the PIX can do what I want it to?

Reply to
Sam

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.