topic Re: PIX 506E Access-list problems in Network Security

PIX 506E Access-list problems

jon.axe — Mon, 11 Mar 2019 10:21:52 GMT

I configured a PIX 506E with two internal vlans. One vlan is called DMZ and the other is called vlan4. I want a device on vlan DMZ to ping a device on vlan4. In order to make this possible, I needed to create an access. However, I can not get my access-list to work correctly.

This is a snapshot of my configuration:

interface ethernet1 vlan2 logical

interface ethernet1 vlan4 logical

nameif vlan4 vlan4 security4

nameif vlan2 dmz security50

access-list INTERNAL permit ip any 10.0.20.0 255.255.255.0

access-list INTERNAL permit ip any 10.0.30.0 255.255.255.0

access-list INTERNAL permit ip any any

access-group INTERNAL in interface vlan4

access-group INTERNAL in interface dmz

Even with this access-list that permit ALL traffic, I am unable to ping one end from another. The odd thing to me is that I do see matches after I try to ping an interface:

ccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list INTERNAL; 3 elements

access-list INTERNAL line 1 permit ip any 10.0.20.0 255.255.255.0 (hitcnt=8)

access-list INTERNAL line 2 permit ip any 10.0.30.0 255.255.255.0 (hitcnt=0)

access-list INTERNAL line 3 permit ip any any (hitcnt=2)

Is there something I am forgetting to do in order to make the communication across two vlans possible?

Thanks,

Re: PIX 506E Access-list problems

acomiskey — Tue, 29 May 2007 14:48:05 GMT

You don't need this as traffic from higher to lower security is allowed.

no access-group INTERNAL in interface dmz

Add these to ping vlan4 from DMZ...

no access-group INTERNAL in interface vlan4

access-list vlan4_in permit icmp any echo-reply

access-group vlan4 in interface vlan4

Re: PIX 506E Access-list problems

jon.axe — Tue, 29 May 2007 16:53:48 GMT

I've made the changes but it still does not work quite right. If I ping from the Vlan4 network to the Vlan2 network I see the ping come across the PIX but the machine that orginated the the ping does not receive a return packet. I believe this is due that each vlan is running PAT on the outside interface's IP address.

For example I saw the following:

36: ICMP echo-request from vlan4:10.0.30.2 to xxx.xxx.15.58 ID=512 seq=16896 length=40

37: ICMP echo-request: translating vlan4:10.0.30.2/512 to outside:xxx.xxx.15.52/2

38: ICMP echo-reply from outside:xxx.xxx.15.58 to xxx.xxx.15.52 ID=2 seq=16896 length=40

Do you think PAT is preventing me from pinging 10.0.30.x to 10.0.20.x?

Re: PIX 506E Access-list problems

acomiskey — Tue, 29 May 2007 17:01:41 GMT

Sorry, in your original post you said you wanted to ping from dmz to vlan 4. Which is what the statements I posted would allow. Does this part at least work?

Could you please post your entire config?

Re: PIX 506E Access-list problems

jon.axe — Tue, 29 May 2007 17:18:01 GMT

Below is the config with the passwords and snmp info removed:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan2 logical

interface ethernet1 vlan4 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan2 dmz security50

nameif vlan4 vlan4 security4

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list vlan4_in permit icmp any 10.0.30.0 255.255.255.0 echo-reply

access-list vlan4_in permit icmp any 10.0.20.0 255.255.255.0 echo-reply

access-list vlan4_in permit ip any any

pager lines 24

icmp permit any dmz

icmp permit any vlan4

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.15.52 255.255.255.128

no ip address inside

ip address dmz 10.0.20.1 255.255.255.0

ip address vlan4 10.0.30.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

nat (vlan4) 1 0.0.0.0 0.0.0.0 0 0

access-group vlan4_in in interface vlan4

route outside 0.0.0.0 0.0.0.0 xxx.xxx.15.1 1

Re: PIX 506E Access-list problems

jon.axe — Wed, 30 May 2007 19:10:45 GMT

I believe PAT is causing my issue. Is it possible for me to create an ACL statement that will block the use of NAT for traffic that flows directly from Vlan 2 to Vlan 4 and vice versa?

Re: PIX 506E Access-list problems

acomiskey — Wed, 30 May 2007 19:35:36 GMT

Can you ping from dmz to vlan4?

The way your current acl is now, you would not be able to ping from .30 to .20. Just add this ace

access-list vlan4_in permit icmp any 10.0.20.0 255.255.255.0

Re: PIX 506E Access-list problems

jon.axe — Thu, 31 May 2007 16:50:21 GMT

Still doesn't work and here is why:

57: ICMP echo-request from dmz:10.0.20.2 to 10.0.30.2 ID=512 seq=2304 length=40

58: ICMP echo-request from vlan4:10.0.30.2 to xx.xx.36.248 ID=512 seq=2816 length=10

59: ICMP echo-request: translating vlan4:10.0.30.2/512 to outside:xx.xx.15.52/0

I'm trying to disable NAT when 10.0.20.2 pings 10.0.30.2 and vice versa but I'm having trouble writing an ACL that will do that.

Re: PIX 506E Access-list problems

acomiskey — Thu, 31 May 2007 16:58:46 GMT

access-list nat0 permit ip host 10.0.20.2 host 10.0.30.2

nat (dmz) 0 access-list nat0

Re: PIX 506E Access-list problems

jon.axe — Thu, 31 May 2007 18:08:14 GMT

That's the answer I was looking for. Thanks.

I changed the commands around a little bit but it works very well.

access-list no-nat permit ip 10.0.20.0 255.255.255.0 10.0.30.0 255.255.255.0

nat (dmz) 0 access-list no-nat

Specified what should be NAT'd in better detail.

nat (dmz) 1 10.0.20.0 255.255.255.0 0 0

nat (vlan4) 1 10.0.30.0 255.255.255.0 0 0