Pix 506E access rules modification

jamesbruce · ‎07-07-2008

Hi,

I'm not much up on Pix firewalls, so I am hoping someone here can answer this question: How would I modify the config below to allow ONLY The following IP's to access 10.2.2.8

192.168.102.85

192.168.111.60

192.168.111.62

192.168.111.50

Running Config:(all I have to go on right now, attached)

Alan Huseyin Kayahan · ‎07-07-2008

Hi James

access-list outside_access_in permit ip host 192.168.111.60 host s-gc-docimg

access-list outside_access_in permit ip host 192.168.102.85 host s-gc-docimg

access-list outside_access_in permit ip host 192.168.111.62 host s-gc-docimg

access-list outside_access_in permit ip host 192.168.111.50 host s-gc-docimg

access-group outside_access_in in interface outside

Regards

Alan Huseyin Kayahan · ‎07-07-2008

Btw, the following command makes all other nat statements useless

access-list 100 permit ip any any

nat (inside) 0 access-list 100

jamesbruce · ‎07-07-2008

Thanks for your response. So if i understand you correctly, remove the nat statements you mentioned, create and apply tghe access-list statements you mentioned and it should work, am I correct?

Alan Huseyin Kayahan · ‎07-08-2008

Removing the nat satatement would affect some traffic if this firewall is used like a router that doesnt have nat enabled by default. That statement might have been issued on purpose to not to spend time on detailed traffic definitions with statics.

If you decide to remove that NAT statement, make sure you enter the following

static (inside,outside) s-gc-docimg s-gc-docimg netmask 255.255.255.255

Regards

jamesbruce · ‎07-08-2008

Thanks for the reply:

Question, I did as you suggested and also added the nat statement you recommended after removing the others and no connection by those ip addreses was able to be made. i also tried it without your recommended nat stement and putting the exisiting ones back in with no luck. Since their is a site to site vpn involved, wouldn't similiar changes need to be made on the other side? (They do not have access to the other side device)

Alan Huseyin Kayahan · ‎07-09-2008

"Since their is a site to site vpn involved"

Ah... Now all makes sense.

First of all, your interesting traffic ACL 120 should not contain any any statement unless you want all your connection (including your internet) to go over the tunnel.

Assuming that remote site's local network is 192.168.111.0/24, here is the necessary config.

access-list inside_nat0_outbound permit ip 10.4.28.0 255.255.255.0 192.168.111.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list 120 permit ip 10.4.28.0 255.255.255.0 192.168.111.0 255.255.255.0

no access-list 120 permit ip any any

no static (inside,outside) s-gc-docimg s-gc-docimg netmask 255.255.255.255

no access-list 100 permit ip any any

no access-list AgendaManager permit ip any any

no access-list AgendaManager permit icmp any any

no access-list AgendaManager permit tcp any any

no access-list outside_access_in permit ip host 192.168.111.60 host s-gc-docimg

no access-list outside_access_in permit ip host 192.168.102.85 host s-gc-docimg

no access-list outside_access_in permit ip host 192.168.111.62 host s-gc-docimg

no access-list outside_access_in permit ip host 192.168.111.50 host s-gc-docimg

no access-group outside_access_in in interface outside

fixup protocol icmp

clear xlate

Please post the latest config after above modifications.