topic Re: Simple PIX question in Network Security

Simple PIX question

abruso — Fri, 21 Feb 2020 07:00:39 GMT

I'm a PIX newbie, but I am trying to block 2 people from surfing the web.

These are the commands I tried:

access-list 105 deny tcp host <ip> any eq www

access-group 105 in interface inside

After doing so, no one could surf the net. What stupid mistake am I making? Thanks.

Re: Simple PIX question

bmuha — Thu, 25 Sep 2003 20:35:50 GMT

sorry for the dup

Re: Simple PIX question

bmuha — Thu, 25 Sep 2003 20:38:44 GMT

try something like this

outbound deny 10.xxx.xxx.xxx 255.255.255.255 80 tcp

apply (if-name) outgoing_dest

--Brian

Re: Simple PIX question

bjandersson — Thu, 25 Sep 2003 20:48:43 GMT

No one can surf the net because it’s an implicit entry at the end of your access-list which deny all traffic “deny ip any any” this is a standard behaviour for all access-list.

After denying traffic for certain host add an entry which allows traffic for the rest of the hosts.

access-list 105 deny tcp host any eq www

access-list 105 permit ip any

access-group 105 in interface inside

-- Bjorn

Re: Simple PIX question

abruso — Thu, 25 Sep 2003 21:52:21 GMT

Well the outbound commands didn't work, but the access-list 105 permit statement did the trick. I knew I had to do that on routers, but for some reason I thought the PIX didn't need the permit statement at the end.

Thanks for your help.

Re: Simple PIX question

l.mourits — Fri, 26 Sep 2003 15:19:16 GMT

Abruso,

Normally, you wold not have to have a permit statement when inside users are initiating sessions to the outside, that is, if your securitylevels are configured correctly (default they are correct).

I have seen some strange behaviour on version 6.2.2 and higher, where the PIX does seem to need the permit statement. But I think this is an error. As you can read on CCO about the ASA it normally should let them through when travveling from inside to outside, because if it sees no matchng rule it would apply the implicit rule. The implicit rule is not alwaays deny any any (as another guy stated in one of the replies), but it is depending on the securitylevels. If travelling from high to low security the implicit rule should be permit an any (if no other rule matches)

Hope this helps in understanding.

Leo

Re: Simple PIX question

abruso — Fri, 26 Sep 2003 16:20:55 GMT

That's what I thought. The security levels are set up correctly on the interfaces. Inside is 100 and Outside is 0. I'm not really sure why the permit statement was needed. Oh well, as long as it works :).

Thanks.

Re: Simple PIX question

mhoda — Fri, 26 Sep 2003 22:14:37 GMT

Hi,

Just to clarify the concept on this -

ASA allows traffic from inside to outside by default. But, when you apply the ACL on the inside interface and then behavior is just like router ACL that is there is an explicit deny at the end of the ACL. Thats the reason, permit is doing the job for you. There is no issues with 6.2.2 and above with ACL.

I hope this helps ! Regards,

Mynul

Re: Simple PIX question

l.mourits — Mon, 29 Sep 2003 07:09:27 GMT

Hi,

I hate to admit, but I have to agree with Mynul. If an ACL is applied, it does indeed adds an implicit "deny any any".

Sorry for providing you with incorrect information.

Only is no ACL is applied the default behaviour is depending on securitylevels, and all traffic from inside to outside would be permitted.

Kind regards,

Leo