topic Re: Pix 501 Help in Network Security

Pix 501 Help

cozyk1515 — Mon, 11 Mar 2019 11:27:37 GMT

I have a public IP address P.P.P.P that I do not want anyone from the outside to access except 3 remote users with Static IPs on port 22 open outbound from P.P.P.P to the 3 static IPs.

I have created a Object-group network called Tac with the 3 IPs

object-group network Tac

network-object host X.X.X.X

I am can anyone help me with the next steps?

Thank you

Gabrielle

Re: Pix 501 Help

acomiskey — Fri, 19 Oct 2007 13:49:10 GMT

Gabrielle,

Could you rephrase what you are looking to do? I think you want to allow the 3 addresses to your public ip on port 22? I'm confused becuase you said "outbound from". Thanks.

Re: Pix 501 Help

Collin Clark — Fri, 19 Oct 2007 13:53:58 GMT

access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22

access-group outside_access_in in interface outside

This will create an ACL to allow the 3 addresses in your object-group to access the firewall via SSH.

HTH and please rate.

Re: Pix 501 Help

cozyk1515 — Fri, 19 Oct 2007 13:54:56 GMT

Sorry I didn't mean outbound. I only want the 3 addresses to have access from the outside. Thanks

Re: Pix 501 Help

acomiskey — Fri, 19 Oct 2007 14:00:36 GMT

Are you sure about that Collin? The acl does not restrict traffic terminating on the outside interface, only traffic traversing interfaces. If she wanted to restrict ssh to the outside of the firewall she would have to do "ssh x.x.x.x. outside". I'm assuming she has a static for the outside interface to some ssh server inside.

Re: Pix 501 Help

cozyk1515 — Mon, 22 Oct 2007 13:45:35 GMT

Let me start over - I have a public IP Address P.P.P.P on a device that I need 3 people around the world to access on port 22.

I have created a Object-group network called Tac with the 3 IPs

object-group network Tac

network-object host X.X.X.X - the public IP of other networks

network-object host X.X.X.X

I am can anyone help me with the next steps?

Thanks

Gabrielle

Re: Pix 501 Help

acomiskey — Mon, 22 Oct 2007 13:52:38 GMT

What Collin wrote above is what you need...

access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22

access-group outside_access_in in interface outside

Also you need a static translation for P.P.P.P to the inside address of your server. If P.P.P.P = 1.1.1.1 and the inside address of the server is 192.168.1.1 then...

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

Re: Pix 501 Help

cozyk1515 — Mon, 22 Oct 2007 17:44:34 GMT

We want to deny all traffic EXCEPT port 22 (ssh) to that Public IP Address. Sorry they keep changing things on me.

Thanks

Gabrielle

Re: Pix 501 Help

Collin Clark — Mon, 22 Oct 2007 17:48:47 GMT

The commands above will only allow port 22!

Re: Pix 501 Help

cozyk1515 — Mon, 22 Oct 2007 19:30:15 GMT

I added the access-lists

access-list outside_in permit tcp object-group MeTac host Tac-Outside eq htt

access-list outside_in permit tcp object-group Tac host Tac-Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Tac-Outside eq ssh

static (inside,outside) Tac-Outside Tac-Inside netmask 255.255.255.255 0 0

I can still access the P.P.P.P over the internet - Did I need to add a DENY in there?

Re: Pix 501 Help

acomiskey — Mon, 22 Oct 2007 19:38:39 GMT

So Tac-Outside = P.P.P.P?

With those acl entries you should only be able to hit Tac-Outside with https, telnet and ssh, that's it.

Also, you access-group command should be

access-group outside_in in interface outside

Re: Pix 501 Help

cozyk1515 — Tue, 23 Oct 2007 10:47:49 GMT

name 10.0.0.X Inside

name P.P.P.P Outside ** Public IP Address

object-group network Tac

network-object host X.X.X.X

access-list outside_in permit tcp object-group Meta_Tac host Meta-Outside eq www

access-list outside_in permit tcp object-group MetTac host Outside eq htt

access-list outside_in permit tcp object-group Tac host Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Outside eq ssh

static (inside,outside) Outside Inside netmask 255.255.255.255 0 0

** The Problem I am having is that everyone can still access the "DEVICE" with any IP and not those that were specified in the above Object-Group.

Re: Pix 501 Help

Collin Clark — Tue, 23 Oct 2007 12:25:46 GMT

OK,

Lets forget the object-group and get this into its simplest form.

1st we'll create the static translation. This will translate your outside address to your inside address. The 1.1.1.1 is our outside address.

static (inside,outside) tcp 1.1.1.1 22 192.168.1.10 22 netmask 255.255.255.255

Next lets create the access-list that only allows the 3 addresses you want to allow. For the example I'll want to allow 2.2.2.2, 3.3.3.3, and 4.4.4.4. There is an implicit deny at the end so we do not have to enter one.

access-list OUTSIDE_ACCESS_IN permit tcp host 2.2.2.2 host 1.1.1.1 eq 22

access-list OUTSIDE_ACCESS_IN permit tcp host 3.3.3.3 host 1.1.1.1 eq 22

access-list OUTSIDE_ACCESS_IN permit tcp host 4.4.4.4 host 1.1.1.1 eq 22

Finally we need to apply the ACL to an interface and in a direction.

access-group OUTSIDE_ACCESS_IN in interface outside.

That should do it.

Re: Pix 501 Help

cozyk1515 — Wed, 24 Oct 2007 12:23:51 GMT

Ok, I entered exactly what you have but I can still access The device with HTTP. My thought is that the public IP address is actually on the device. Which it needs to be. Any Thoughts?

Re: Pix 501 Help

Collin Clark — Wed, 24 Oct 2007 12:33:57 GMT

OK. I bet you're using SDM and that application is tied to the outside interface. You need to apply an ACL to HTTP to prevent everyone accessing it. It's used for management so it's handled a little differently.

Try this to restrict HTTP/SDM.

http 10.10.10.115 255.255.255.255 inside

This example will only allow 10.10.10.115 to access SDM from the inside! Make sure you put your IP in first.

Re: Pix 501 Help

cozyk1515 — Wed, 24 Oct 2007 16:37:50 GMT

Not using SDM.

Re: Pix 501 Help

Collin Clark — Wed, 24 Oct 2007 17:41:56 GMT

What web page are you seeing?