Solved: ACL Help via command line

imanco671 · ‎09-08-2011

Hello Community,

My main goal is to NAT, but not too familiar with command line and cautious working with my production PIX.

I have a WAN address (173.x.x.x.) and an internal Address (192.168.x.x.) to NAT.

I want to allow port 80 traffic for this new NAT.

I have issued the following commands:

name 173.x.x.x webserver

static (NewBlock, outside) 173.x.x.x 192.168.xx.xx netmask 255.255.255.255

I think my next step is to add my ACL. I just dont know what command to use and what names.

My internal interface is called NewBlock.

My outside interface is called Outside

Thanks in advance, I have attached my running-config.

John Blakley · ‎09-08-2011

You can replace them with acls as long as you have a version (I believe 5.x) that supports them. I'm not 100% certain you can run acls and conduits at the same time though or if they're mutually exclusive. If they're mutually exclusive, you could have some down time trying to convert them. I've yet to find a config that was running both at the same time. There are some tools that you can get from Cisco to help you convert from conduits to acls. You'll leave the static statements alone, but the conduits would be replaced with an acl and that acl would be applied to your outside interface.

It's recommended from Cisco to stop using conduits because they've been deprecated.

You can post your "show run" here to see what it gives you:

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎09-08-2011

John,

You're acl will be on the outside interface allowed inbound to your public address on that port:

access-list OUTSIDE permit tcp any 173.x.x.x.x eq 80

access-group OUTSIDE in interface outside

The access-group applies the access-list on the outside interface...

*Edit* Since you used a name command, when you do a "show run access-list OUTSIDE", it'll say:

access-list OUTSIDE permit tcp any webserver eq 80

..unless you have "no names" issued.

HTH,

John

HTH, John *** Please rate all useful posts ***

imanco671 · ‎09-08-2011

Hi John,

Thanks for the quick reply!

When I run the "sh access-list" command, I get many lines of output.

Here is one of the many:

access-list inside_outbound_nat0_acl line 27 permit ip host demo150 any (hitcnt=22909)

When I run the "sh access-list outside", it says ERROR: access-list does not exist

Is it weird that all the output says "any" at the end of each line?

So should my command be:

access-list inside_outbound_nat0_acl permit ip host webserver www

Do you know what "inside_outbound_nat0_acl" means?

Thanks

John

John Blakley · ‎09-08-2011

Do you know what "inside_outbound_nat0_acl" means?

It's probably your nat statement, but I'd have to look at the config again. If it is, then the line is saying to permit the host "demo150" to use the global nat statemnt...but that depends on where the acl is applied. (It can also mean "nonat" if the acl is applied to nat (inside) 0, in which case it wouldn't be natted to any destination.)

As far as the outside acl, you may not have one. Do a "show run access-group". If you see a line that says something like:

access-group in interface inside

That means that you have an access list applied to the inside interface (the last word "inside" can be whatever you named your interface).

If you don't see one like "access-group in interface outside", then you don't have an acl applied to your outside interface and you'll need to create it and apply it.

You won't hurt anything because without an acl applied to your outside interface, the Pix/ASA denies all traffic by default. You'll need to create an acl and apply it on the outside interface like I mentioned in my first post.

HTH,

John

HTH, John *** Please rate all useful posts ***

imanco671 · ‎09-08-2011

Hi John,

I have ran the command "sh access-group" nothing was outputted.

I did find in my running-config these Conduit statements which look more like known open ports:, I assume these are my ACLs?

conduit permit tcp host "xxxxx" eq 8001 any

conduit permit tcp host "xxxxx" eq 9080 any

I have found this statement in my running config too:

nat (inside) 0 access-list inside_outbound_nat0_acl

I am confused about these Conduit statements ( I know they are old).

John Blakley · ‎09-08-2011

Here's a link to how to use conduits:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#conduit

You'll create a conduit based on your public address like:

conduit permit tcp host 173.x.x.x eq www any

HTH, John *** Please rate all useful posts ***

imanco671 · ‎09-08-2011

I would like to use what you recommend and the right way to issue ACL statements.

Can I replace them somehow?

John Blakley · ‎09-08-2011

You can replace them with acls as long as you have a version (I believe 5.x) that supports them. I'm not 100% certain you can run acls and conduits at the same time though or if they're mutually exclusive. If they're mutually exclusive, you could have some down time trying to convert them. I've yet to find a config that was running both at the same time. There are some tools that you can get from Cisco to help you convert from conduits to acls. You'll leave the static statements alone, but the conduits would be replaced with an acl and that acl would be applied to your outside interface.

It's recommended from Cisco to stop using conduits because they've been deprecated.

You can post your "show run" here to see what it gives you:

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

John

HTH, John *** Please rate all useful posts ***

imanco671 · ‎09-08-2011

Thanks John, I am running version 6.1

I will see if both can run at the same time. I hope so.....

I think after issuing the access-list or conduit statement, there should be nothing left to configure to make that WAN address NAT to the internal address.

I am still curious about the "inside_outbound_nat0_acl" . Should I just leave these alone?

John Blakley · ‎09-08-2011

The inside_outbound_nat0_acl is attached to:

nat (inside) 0 access-list inside_outbound_nat0_acl

The nat statement needs to match a global with the (inside) number command. For example:

global (outside) 1 200.200.200.200 255.255.255.255

nat (inside) 1 192.168.1.50

nat (inside) 0 access-list inside_outbound_nat0_acl

The above will nat 192.168.1.50 as 200.200.200.200 outbound. The nat (inside) 0 command basically says that any hosts that are in the acl that's mentioned (inside_outbound_nat0_acl) don't nat to those destinations. You can have subnet to any, host to host, host to any, etc.

Your access-list hosts are "xxxx" out, so you'll have to make that call, but from what I can see it says that you don't want any of the hosts to nat when going to any destination. Since I don't know how you're laid out, I can't make a reasonable assumption as to why you'd want to do this.

My nat statements look something like the following:

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

Basically, I don't want to nat when going from 192.168.1.0 to my dmz, but I do want to nat going to anything else.

John

HTH, John *** Please rate all useful posts ***

imanco671 · ‎09-08-2011

Hi John,

I am having trouble understanding your reply, I have read it over and over. I will reply to each statement and see if I am correct. Definately correct me if I am wrong. I am sorry.....

The inside_outbound_nat0_acl is attached to:

nat (inside) 0 access-list inside_outbound_nat0_acl

The above means that using the above command will not allow NAT to its own inside address.

This statement must be executed after every NATed WAN address?

So I cannot NAT to the inside interface, which is not "legit" anyways. NATing should be done to the outside interface?

So the above statement is just added protection?

I assume the "real" way to NAT would to use a command: nat (outside) 0 access-list inside_outbound_nat0_acl ?

The nat statement needs to match a global with the (inside) number command. For example:

global (outside) 1 200.200.200.200 255.255.255.255

nat (inside) 1 192.168.1.50

nat (inside) 0 access-list inside_outbound_nat0_acl

Say I want to NAT this scenario: WAN address 200.200.200.201 to LAN address 192.168.1.51

So my first command to execute would be: global (outside) 2 200.200.200.201 255.255.255.255

Next command: nat(inside) 2 192.168.1.51

last command: nat(inside) 0 access-list inside_outbound_nat0_acl

Another example: I want to NAT: WAN Address 200.200.200.202 to LAN address 192.168.1.52

global (outside) 2 200.200.200.202 255.255.255.255

nat(inside) 2 192.168.1.52

nat(inside) 0 access-list inside_outbound_nat0_acl

This basically means that I defined my WAN address (global) and then defined my LAN address( inside), then I made sure that it could not NAT to its own inside address.

Your access-list hosts are "xxxx" out, so you'll have to make that call, but from what I can see it says that you don't want any of the hosts to nat when going to any destination. Since I don't know how you're laid out, I can't make a reasonable assumption as to why you'd want to do this.

access-list inside_outbound_nat0_acl permit ip host "exchange-server" any

I know that the above server should be able to NAT. I dont know why its listed then. All the functional NATed servers are included in the access-list inside_outbound_nat0_acl

My nat statements look something like the following:

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

The above looks like you are defining your outside assigned interface of your firewall. Then you want to define your LAN subnet of 192.168.1.0. Then you want to define your DMZ subnet of 10.10.10.0. Then you want to define your access list called "nonat". Then lastly you are stating that you do not want to allow NATing to your LAN subnet or your DMZ subnet?

Basically, I don't want to nat when going from 192.168.1.0 to my dmz, but I do want to nat going to anything else.

I do not understand "but I do want to nat going to anything else" So basically you want to prevent NATing from your LAN to DMZ but what does "anything else" mean?

(Im trying to getting the hang of it. Sorry for being such a novice. )

imanco671 · ‎09-08-2011

Let me show you my understanding so far.

Lets assume that I can run the Conduits and the Access-list...

I would start with a free WAN address: 200.200.200.203

I have a webserver in my LAN that I want port 80 opened: 192.168.1.53

name 200.200.200.203 255.255.255.255 webserver3

static (NewBlock,outside) webserver3 192.168.1.53 netmask 255.255.255.255 0 0

conduit permit tcp host "webserver3" eq www any

or

name 200.200.200.203 255.255.255.255 webserver3

static (NewBlock,outside) webserver3 192.168.1.53 netmask 255.255.255.255 0 0

access-list outside permit tcp any webserver3 eq 80

Then after the above is executed....200.200.200.203 will be Nated to 192.168.1.53 having port 80 opened.

Am I getting it? or still dumb?

imanco671 · ‎09-09-2011

Hi John,

Can we pick up on another discussion?

I will create one called "ACL help"

Thanks

John

John Blakley · ‎09-09-2011

Sorry for taking so long getting back with you. I had network issues yesterday

Here's a link from Cisco that can explain NAT a lot better than I can:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

HTH, John *** Please rate all useful posts ***