cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1830
Views
0
Helpful
4
Replies

PIX 515e: Block IP on outside with dynamic access policies

pattya94191
Beginner
Beginner

Hey all,

Im a bit stumped by this one, i dont really know why its failings, so if you could shed some light, that would be great

I have a a PIX 515e in routed mode. Outside interface has a PPPoE connection with the public IP sitting straight on it with a DMZ and a inside with all working fine

I am trying to block an IP on the outside: I open up the ASDM (Cause im still trying to get my head around the command line access lists) and go to firewall > access rules. Click new, change the interface to outside, action to deny, put the IP in leave service as IP and click ok

I get this error:

[ERROR] access-list outside_access_in line 14 extended deny ip host xxx.xxx.xxx.237 0.0.0.0 0.0.0.0
     cannot mix permit and deny rules in an access-list referenced from a dynamic-access-policy-record

Now looking at that, i assume its refering to the dynamic NAT rules that are in play; ill post what i think the best parts are from the config here

global (outside) 101 interface
global (inside) 1 interface
global (dmz) 30 interface
nat (inside) 101 192.168.0.0 255.255.255.0
nat (dmz) 101 10.0.0.0 255.255.255.0
static (dmz,outside) tcp interface www Malibu www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Collaroy 3389 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.9 www Newport www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.10 ssh JumpingJacks ssh netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.10 www JumpingJacks www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.11 https Newport_DRAC https netmask 255.255.255.255
static (dmz,outside) tcp xxx.xxx.xxx.11 ssh Palm ssh netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz

I have 4 IP's total for me to use. The interface IP and 2 others xxx.xxx.xxx.9-11

So my question becomes: is it the dynamic NAT rules that are here that are buggering me block an IP? or am i doing something wrong?

Insight and thoughts appreciated

Thanks

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

OK, from the error, it seems that you are using the same access-list name "outside_access_in" for your DAP (Dynamic Access Policy) which is used for VPN. You will have to create a new set of access-list to apply to DAP, and leave the "outside_access_in" ACL for access-list applied to the outside interface.

You can not use 1 access-list and apply it both to the outside interface as well as used the same ACL for DAP.

View solution in original post

2 options:

1) If you are not using the VPN anymore, and do not require DAP, just unapply the access-list from the DAP configuration. Depending on which ASDM version you are using, the DAP configuration would typically under the Remote Access VPN section --> Network (Client) access --> Dynamic Access Policies. Then you can edit the existing policy, and go to the Network ACL Filters (Client) section, and delete the access-list.

OR/ if you are not using the DAP policy at all for your VPN, just remove the DAP policy all together.

2) However, if you would like to keep the DAP as is, then just create a new access-list as you have (outside_inside), and configure all the access-list that you have on your old outside_access_in access-list including the new line that you need, and apply that to your outside interface.

Basically you have to remove the exiting access-list that is applied to the outside interface, and apply your new access-list to the outside interface:

no access-group outside_access_in in interface outside

access-group outside_inside in interface outside

Hope that helps.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

OK, from the error, it seems that you are using the same access-list name "outside_access_in" for your DAP (Dynamic Access Policy) which is used for VPN. You will have to create a new set of access-list to apply to DAP, and leave the "outside_access_in" ACL for access-list applied to the outside interface.

You can not use 1 access-list and apply it both to the outside interface as well as used the same ACL for DAP.

Thanks Jennifer, that makes a lot of sense

I have created a new ACL called outside_inside but i cant find where to actually change what ACL is in use - WOuld you be able to provide some info on this, im a little lost

With the VPN, i did try to configure it a long time ago, but i though i removed all traces of the VPN from the config as it turned out i didn't need it.

Thanks

2 options:

1) If you are not using the VPN anymore, and do not require DAP, just unapply the access-list from the DAP configuration. Depending on which ASDM version you are using, the DAP configuration would typically under the Remote Access VPN section --> Network (Client) access --> Dynamic Access Policies. Then you can edit the existing policy, and go to the Network ACL Filters (Client) section, and delete the access-list.

OR/ if you are not using the DAP policy at all for your VPN, just remove the DAP policy all together.

2) However, if you would like to keep the DAP as is, then just create a new access-list as you have (outside_inside), and configure all the access-list that you have on your old outside_access_in access-list including the new line that you need, and apply that to your outside interface.

Basically you have to remove the exiting access-list that is applied to the outside interface, and apply your new access-list to the outside interface:

no access-group outside_access_in in interface outside

access-group outside_inside in interface outside

Hope that helps.

Thanks very much Jennifer, exactly what i needed

Thank you so much

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers