access-list Command

otnj2ee · ‎11-03-2005

If the system architecture is like this: Pix (501) and PCs attached to it. The PCs on the same subnet of 192.168.1.0 255.255.255.0. And a remote PC is to be assign a subnet of 10.10.10.0 255.255.255.0, once it is connected to the Pix via VPN.

For a simplized access-list command, it will be like this:

access-list ID permit ip {source_addr source_mask } {destination_addr} {destination_mask }

1)What should be the source address?

2)What should be the destination address?

Or I mean how should we define the source and destination? {Which direction should I look at :) }

Thanks to help.

Scott

fzamora · ‎11-03-2005

Hi,

Where do you expect to process the traffic?

If you want to restrict traffic from inside users to public networks the src shoud be any computer on the trusted network.

Example:

access-list outbound permit tcp host 192.168.1.2 any eq 80

access-list outbound permit udp host 192.168.1.2 any eq 53

access-list outbound deny ip any any

access-group outbound in interface inside

Hope it helps

Franco

otnj2ee · ‎11-03-2005

Thanks for the response. This is a remote PC(Cisco VPN Client) to the PIX 501 case. The Pix inside and the computers connected to the Pix are in the subnet of 192.168.1.0 255.255.255.0; While the remote PC will be assigned 10.10.10.0 255.255.255.0, once it successfully opened the VPN channel.

But I am confused which should be the source and which should be the destination?

Thanks again.

Scott

Patrick Iseli · ‎11-03-2005

Basicly SRC = any IP address or network on the interface that the access-list is applied on and Destination is the IP address that the traffic will be forwarded to (other interfaces).

Example if you have an access-list on the inside interface and you want just to permit outgoing http and DNS traffic then it would look like that:

IP inside interface = 192.168.1.1

IP Network Inside = 192.168.1.0/24

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 80

access-list inside permit udp 192.168.1.0 255.255.255.0 any eq 53

access-group inside in interface inside

Now another example you want to allow any user on the internet to access your Email server with smtp. So the SRC is any because it could be any IP on the outside interface and the DST is internal Mail server Public IP because we will do Network address transaltion NAT after the access-list verification.

example:

access-list outside permit tcp any host MailServer-Public eq 25

access-group outside in interface outside

sincerely.

Patrick

otnj2ee · ‎11-04-2005

Thanks for the response. But it does not answer my question. My case is: a remote PC(Cisco VPN Client) to access the inside of PIX 501.

The Pix inside and the computers connected to the Pix are in the subnet of 192.168.1.0 255.255.255.0; While the remote PC will be assigned 10.10.10.0 255.255.255.0, once it successfully opened the VPN channel.

This is the statement I used:

access-list 101 permit ip 192.168.1.0 255.255.255.0

10.10.10.0 255.255.255.0

vpngroup MyVPN split-tunnel 101

And it works. I can connect and access to the inside of the Pix, for instance, I can launch the PDM from the inside of the pix.

But I am confused which should be the source and which should be the destination? My understanding is the remote PC (the VPN client) should be the

source while the Pix inside interface should be the destination. Is this a correct understanding? If so, then how can I put Pix inside (192.168.1.0 255.255.255.0) at the source position and the remote PC (10.10.10.0 255.255.255.0) at the destination position, and it works?

Thanks again.

Scott