03-14-2003 04:02 AM - edited 02-20-2020 09:20 PM
I am using Cisco PIX version 6.2(2).
object-group network norm_nat_hosts
network-object 192.168.11.1 255.255.255.255
network-object 192.168.11.2 255.255.255.255
network-object 192.168.11.3 255.255.255.255
network-object 192.168.11.4 255.255.255.255
object-group service norm_allow_ports tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp-data
port-object eq ftp
port-object eq 8100
port-object eq 8080
access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports
But, I find that each of those host in norm_nat_hosts are allowed to open all ports from their machines instead of those specified in norm_allow_ports.
But, if I put each host seperately (as shown below), then only those allowed ports are opened.
access-list acl4inside permit tcp host 192.168.11.1 eq www any
access-list acl4inside permit tcp host 192.168.11.1 eq 53 any
access-list acl4inside permit tcp host 192.168.11.1 eq 443 any
access-list acl4inside permit tcp host 192.168.11.1 eq 20 any
.........
.......etc
This will go to 28 lines. While the new syntax is supposed to do the same in lesser number of lines.
What have I done wrong ?
03-14-2003 07:54 AM
You aren't comparing apples to apples. You acl statement that use object groups has any in a different place - it sez from these hosts, on any ports, make connections to any machines on object-group norm_allow_ports.
I think that:
access-list acl4inside permit tcp object-group norm_nat_hosts object-group norm_allow_port any
will do what you are seeking - allow norm_nat_hosts make connections to anyone from only norm_allow_ports
03-15-2003 03:13 AM
My objective is to convert from old outbound to new access-list and then deploy the object-group to simplify the configuration. The details are as follows:
Old configuration:
global (outside) 1 62.12.4.19
nat (inside) 1 192.168.11.11 255.255.255.255 0 0
outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp
outbound 10 permit 192.168.11.11 255.255.255.255 80 tcp
apply (inside) 10 outgoing_src
New sysntax:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
global (outside) 1 62.12.4.19
nat (inside) 1 192.168.11.11 255.255.255.255 0 0
access-list 101 permit tcp host 192.168.11.11 any eq 80
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 62.12.4.1 1
In the first case only port 80 is allowed out. All others are blocked. In the new sysntax, all ports are allowed out from
192.168.11.11/24 on the inside interface.
What is wrong in this configuration? I am using PIX 6.2(2)
03-16-2003 06:58 PM
This config should be blocking any traffic that is intiated from this internal host unless it has a destination port og 80 (http). What are you seeing that shows all ports are allowed out? Can you show us the syslog in the PIX that shows a connection being built outbound from this host for a port other than 80 please?
03-16-2003 09:12 PM
I have done the following:
access-list 101 permit tcp host 192.168.11.11 any eq 80
access-list 101 deny ip any any
access-group 101 in interface inside
After some testing (for ports www, smtp, ssh etc.), the show access-list command gives the following output:-
access-list 101 permit tcp host 192.168.11.11 any eq www (hitcnt=0)
access-list 101 deny ip any any (hitcnt=46)
This would be interpreted as follows (I guess) - all ports are going to the deny statement rather than allowing port 80 traffic.
This happens when the access-list is applied to the inside interface. If not applied, then all ports are allowed as traffic from the more secure interface is allowed by default to go to the less secure interface. If applied, nothing is allowed to go out....why ?
What next ?
03-17-2003 12:37 AM
The objective (say) is to browse - i.e one will try to send packets to the destination ip's port 80 from source ip's higher ports.
Since, the syntax is :
access-list
So, it will be in this case
access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports
where
object-group norm_nat_hosts = source ip
any = destination ip
group norm_allow_ports = destination port
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide