I am not sure on this one. While I can ping the IP's I cannot see any of the traffic filtered at all. I have tried multiple things, I might have to put this into another thread, but ill bite the bullet and post it. I could see the hits to each of the access with the log functionality enabled on each access-list line. I am not sure I can see that now. I have specific lines left out, to test out the implicit deny at the end of the access-list. It did not block it. Traffic flow is from the 2 SVI interfaces 169.69.100.x and 10.128.142.x into the MSFC then into the FWSM, filter traffic, then allow whats allowed into the Lab areas or drop that traffic. Only the main interface 169.69.100.x can be pinged from the outside. The 192.168.2.x is not allowed to respond to pings, and my secondary 10.128.142.x does not respond, but I can ping all gateways from the FWSM.
My config is designed to block everything into 2 areas of a Lab.
Lab 1 block all except RDP, SSH, SFTP, ICMP to 2 seperate gateway servers. 169.69.100.28 and 48, and allow connectivity to their iLo's: IP's 169.69.100.49 and 52.
All else is blocked to and from these servers....
Lab 2: a more complicated scenerio .
169.69.100.5 and 6 are routers that i need access too.
169.69.100.27 - file server
169.69.100.29 - windows network build server
169.69.100.30 - training svr, this only allows RDP to it.
169.69.100.31 - workstation - full access
169.69.100.32 - logistics server
169.69.100.33 - Wiki web server
We also have 5 servers that do bootp builds. This is a must, to allow that functionality. Thanks in advance. This is all new to me, but I am trying. I am just better at route/switching.
Config as follows.
ese340fwsm# show run
: Saved
:
FWSM Version 3.1(10)0
!
hostname ese340fwsm
enable password xxxxxxxxxxx
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan20
nameif acs
security-level 10
ip address 192.168.2.126 255.255.255.128
!
interface Vlan597
nameif outside
security-level 50
ip address 169.69.100.254 255.255.255.0
!
interface Vlan950
nameif outside2
security-level 49
ip address 10.128.142.10 255.255.255.0
!
ftp mode passive
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 115 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 115 log
access-list ITRISK extended permit ip any host 169.69.100.49 log
access-list ITRISK extended permit ip any host 169.69.100.52 log
access-list ITRISK extended deny ip any host 169.69.100.28 log
access-list ITRISK extended deny ip any host 169.69.100.48 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.90.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.30.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.70.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.75.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 any log
access-list ITRISK extended permit udp any any eq bootpc log
access-list ITRISK extended permit udp any any eq bootps log
access-list ITRISK extended permit tcp any host 169.69.100.30 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.31 eq 3389 log
access-list ITRISK extended permit ip any host 169.69.100.5 log
access-list ITRISK extended permit ip any host 169.69.100.6 log
access-list ITRISK extended permit ip any host 169.69.100.27 log
access-list ITRISK extended permit ip any host 169.69.100.29 log
access-list ITRISK extended permit ip any host 169.69.100.32 log
access-list ITRISK extended permit ip any host 169.69.100.50 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.49 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.52 eq echo log
pager lines 24
logging timestamp
logging console critical
logging buffered debugging
mtu outside 1500
mtu outside2 1500
mtu acs 1500
no failover
icmp permit any outside
icmp permit any outside2
icmp permit any acs
no asdm history enable
arp timeout 14400
access-group ITRISK in interface outside ========> tried out and tried in/out and just in.
access-group ITRISK in interface outside2 ========> Tried out and tried in/out and just in.
route outside 0.0.0.0 0.0.0.0 169.69.100.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
ese340fwsm#
