Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
2
Replies

ACL for Local Lan to Internet

e.deangelis
Level 1
Level 1

‎09-29-2005 01:33 AM - edited ‎02-20-2020 09:28 PM

Hi,

i would filter traffic of my client on local lan to access to internet only this protocol: http, https and dns query (only from IP 192.168.149.1).

I have try to configure acl in my pix and this is my sample configuration , but it not work.

Why?

: Saved

: Written by enable_15 at 19:04:43.669 GMT Wed Sep 28 2005

PIX Version 7.0(2)

names

name 192.168.149.1 IperRouter

name 192.168.149.2 IperSwitch1

name 10.10.10.1 RouterISPTelecom

name 192.168.0.0 LocalLAN

!

interface Ethernet0

description Interfaccia Interna LOCAL

nameif inside

security-level 100

ip address 192.168.149.3 255.255.255.128

!

interface Ethernet1

description Interfaccia Esterna PUBBLIC

nameif outside

security-level 0

ip address 10.10.10.10 255.255.255.0

!

enable password xxxx

passwd xxxx

hostname IperPIX

domain-name sample.com

ftp mode passive

clock timezone GMT 1

object-group service USER-SERVICE tcp

port-object eq www

port-object eq domain

port-object eq https

access-list inside_out extended permit tcp 192.168.149.0 255.255.255.128 any object-group USER-SERVICE

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

monitor-interface inside

monitor-interface outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_out in interface inside

route outside 0.0.0.0 0.0.0.0 RouterISPTelecom 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username xxx password xxx

privilege 15

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet 192.168.149.4 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end

THANKS

Labels:
0 Helpful
2 Replies 2

renil_lambert
Level 1
Level 1

‎09-29-2005 02:46 AM

hi

u mean to say 192.168.149.1 should be goin online with object-group USER-SERVICE rite, then this would help

#access-list inside_out extended permit tcp host 192.168.149.1 any object-group USER-SERVICE

thanks

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to renil_lambert

‎10-06-2005 12:08 PM

I think you mixed up UDP 53 (DNS query) with DNS zone transfer TCP 53. Thats why this does not work !!

Add this line to your Access-list:

access-list inside_out extended permit udp 192.168.149.0 255.255.255.128 any eq 53

Do not forget to remove zone transfer TCP 53 in the objets group.

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents