Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

access list for lower --> higher interface

Status
Not open for further replies.
jamesagnew

jamesagnew

Programmer
Feb 7, 2002
13
FR
Hi

I have 3 interfaces on a PIX 515: 'inside', 'finance', 'sales' where the security priority (highest to lowest) is inside > finance > sales

I'm using PDM and am not very comfortable with the command-line just yet so please keep your explanation simple!

In the access list, there are 3 implicit rules - any traffic from any of these interfaces can reach the outside interface.

Now, I'm trying to allow mail (smtp + pop) traffic to go from sales to finance so I created a static translation rule between the two interfaces to allow correct translation from lower > higher (i.e. sales to finance)

I then created an access rule to actually allow traffic to move. Source = sales, Destination = finance, ports 25 and 110.

What happens though, is the implicit outbound rule on sales is 'overwritten' by the new rule and this prevents *any* traffic from leaving the sales interface except the traffic defined in the new rule.

Upon removing this rule, the original implicit rule gets automatically re-instated.

Could someone give me a bit of help with this, so I can understand what's actually going on and how to get the rule working properly?

Many thanks in advance for any help.

James

 
Sort by date Sort by votes
If you are applying the access list inbound on the sales interface, then yes, traffic to the outside interface from 'sales' will be blocked. You would also have to add rules to that acl to allow ports to the internet (http, dns, ftp etc..). This is like applying an inbound list on the inside interface. Once you apply an access list to an interface, that acl is applied to all traffic regardless of destination.

So, without an ACL on 'sales' you would have the implicit rule;

Sales > Outside = Allow (high to low)
Sales > Finance = Block (low to high)
Sales > Inside = Block (low to high)

Once you put an acl inbound on sales, that affects all traffic so you now have;

Sales > Finance > tcp 25 = Allow
Sales > Finance > tcp 110 = Allow
Sales > Any = Block (this is the implicit block at the end of every acl)

So you need;

Sales > Finance > tcp 25 = Allow
Sales > Finance > tcp 110 = Allow
Sales > Outside <ports> = Allow

So after your SMTP and POP3 rules to allow this traffic to finance, you would have to then state in the acl what other traffic should be allowed. At the end of your acl any traffic not permitted by the acl will be blocked.

Sales > Any = Block.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Thanks Chris for taking the time to answer a noobs question.

I understand the process much better now.

Cheers, James
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
809
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
688
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
286
WhosYourDiffie
WhosYourDiffie
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
404
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top