topic Re: PIX/ACL Help in Network Security

PIX/ACL Help

jszapipes — Mon, 11 Mar 2019 17:32:04 GMT

I am trying to limit the amount of typing by creating groups and adding an acl dependent on those groups, however i cannot get it to work. Attached you will see (hopefully) what I am trying to accomplish. I need to allow a few remote hosts to contact a set of servers using Terminal Services. Using acl's per device seems to work, but assignig one acl using "object-groups" is not working. What am I missing? Any help is appreciated!

PIX 525 version 7.2

object-group service Term_Service tcp
description Microsoft Terminal Services
port-object eq 3389

object-group service web tcp
description HTTP and HTTPS
port-object eq https
port-object eq www

object-group network Remote_Infinite_Campus
network-object host xx.21.235.8
network-object host xx.21.235.8

object-group network Local_Infinite_Campus
network-object host xx4.184.x.x30
network-object host xx4.184.x.x31
network-object host xx4.184.x.x32
network-object host xx4.184.x.x33
network-onject host xx4.184.x.x34

Object-group network All_Infinite_Campus
group-object network Local_Infinite_Campus
group-object network Remote_Infinite_Campus

access-list outside_in extended permit tcp object-group All_Infinite_Campus object-group Term_Service object-group web

access-list outside_in line 100 extended permit tcp host xx.21.235.8 host xx4.184.x.x30 eq 3389
access-list outside_in line 101 extended permit tcp host xx.21.235.8 host xx4.184.x.x31 eq 3389
access-list outside_in line 102 extended permit tcp host xx.21.235.8 host xx4.184.x.x32 eq 3389
access-list outside_in line 103 extended permit tcp host xx.21.235.8 host xx4.184.x.x33 eq 3389
access-list outside_in line 104 extended permit tcp host xx.21.235.8 host xx4.184.x.x34 eq 3389
access-list outside_in line 105 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x30 eq 3389
access-list outside_in line 106 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x31 eq 3389
access-list outside_in line 107 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x32 eq 3389
access-list outside_in line 108 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x33 eq 3389
access-list outside_in line 109 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x34 eq 3389

Re: PIX/ACL Help

Jennifer Halim — Mon, 12 Apr 2010 22:50:48 GMT

The ACL should be as follows:

access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web

Hope that helps.

Re: PIX/ACL Help

jszapipes — Tue, 13 Apr 2010 13:26:28 GMT

Thanks halijenn for you response,

This is how the acl looks now, but it still is not working. When I create the individual acl statements for each connection it works fine and when issuing the "show acccess-list" command the statements look the same as they do when apllied with object-group.

Thanks again!

Re: PIX/ACL Help

Jennifer Halim — Tue, 13 Apr 2010 13:30:32 GMT

What do you mean by it's not working?

For inbound connection, you also need a static translation statement. Do you have that?

Re: PIX/ACL Help

jszapipes — Tue, 13 Apr 2010 13:45:34 GMT

I do have the static statements required:

static (inside,outside) xx4.184.x.x30 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x31 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x32 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x33 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x34 netmask 255.255.255.255

static (inside,outside) xx4.184.x.x35 netmask 255.255.255.255

When the statements look like this the connections are made:

access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x30 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x31 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x32 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x33 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x34 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x30 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x31 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x32 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x33 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x34 eq 3389

Like this, 0 hit count, no connections made:

access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service

access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web

Re: PIX/ACL Help

Jennifer Halim — Wed, 14 Apr 2010 10:47:53 GMT

Have you applied your access-list on the outside interface as follows?

access-group outside_in in interface outside

Re: PIX/ACL Help

jszapipes — Wed, 14 Apr 2010 13:52:01 GMT

Yes, "access-group outside_in in interface outside" is in place. I'm stuck!

Re: PIX/ACL Help

Jennifer Halim — Thu, 15 Apr 2010 04:41:10 GMT

Are you sure that the traffic is coming into the ASA? I would try clearing the arp on the router in front of the ASA and/or reloading it. You might want to make sure that the router is forwarding the traffic to the ASA.

Then try to connect and see if you see hit count.