ACL help!

[pixster]

Hello all, I'm Pix illiterate so I'm hoping someone can help me. I'm looking at rules someone
created before they left. I tried adding some rules that don't seem to work. I'm trying to
block access from my internal network to Sirius.com and its not working. Can someone help me
truncate these rules?

pix# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list acl_out; 8 elements
access-list acl_out line 1 permit icmp any any (hitcnt=83883)
access-list acl_out line 2 permit tcp any host 63.138.xxx.xxx eq 3389 (hitcnt=53)
access-list acl_out line 3 permit tcp 6x.xxx.0.0 255.255.240.0 host 6x.xxx.x.xxx eq smtp (hitcnt=8900)
access-list acl_out line 4 permit tcp any host 6x.xxx.x.xxx eq smtp (hitcnt=15)
access-list acl_out line 5 deny tcp any any eq aol (hitcnt=0)
access-list acl_out line 6 deny tcp any 66.77.49.128 255.255.255.192 eq

http://www (hitcnt=0)

access-list acl_out line 7 deny tcp any 66.77.49.0 255.255.255.0 eq

http://www (hitcnt=0)

access-list acl_out line 8 deny tcp any 66.77.49.0 255.255.255.0 (hitcnt=0)
access-list PixA; 1 elements
access-list PixA line 1 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=238)
access-list PixB; 1 elements
access-list PixB line 1 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0 (hitcnt=139)
access-list PixC; 1 elements
access-list PixC line 1 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0 (hitcnt=75)
access-list 100; 3 elements
access-list 100 line 1 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=188)
access-list 100 line 2 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0 (hitcnt=85)
access-list 100 line 3 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0 (hitcnt=36)
access-list acl_inside; 11 elements
access-list acl_inside line 1 deny tcp any any eq 554 (hitcnt=0)
access-list acl_inside line 2 deny udp any any eq 1755 (hitcnt=0)
access-list acl_inside line 3 deny udp any any eq 554 (hitcnt=0)
access-list acl_inside line 4 deny tcp any any eq 10000 (hitcnt=0)
access-list acl_inside line 5 deny udp any any eq 10000 (hitcnt=0)
access-list acl_inside line 6 deny tcp any any eq 7000 (hitcnt=0)
access-list acl_inside line 7 deny udp any any eq 7000 (hitcnt=0)
access-list acl_inside line 8 permit tcp any 192.168.162.0 255.255.255.0 eq 1288 (hitcnt=0)
access-list acl_inside line 9 deny tcp any any eq aol (hitcnt=0)
access-list acl_inside line 10 deny tcp any 66.77.49.0 255.255.255.0 eq

http://www (hitcnt=0)

access-list acl_inside line 11 deny tcp any 66.77.49.0 255.255.255.0 (hitcnt=0)
access-list outbound; 1 elements
access-list outbound line 1 deny tcp any 128.121.4.0 255.255.255.0 eq

http://www (hitcnt=0)

 

[karmic]

You really should post your entire config for perusal. The access lists are only part of the equation and it looks like you have vpn's set up.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[pixster]

Pix4# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LgyF8hDA6E0009Ss encrypted
passwd LgyF8hDA6E0009Ss encrypted
hostname Pix4
domain-name something.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xx.xxx.xxx.181 eq 3389
access-list acl_out permit tcp 64.xxx.xx.xxx 255.255.240.0 host xx.xxx.xxx.179 eq smtp
access-list acl_out permit tcp any host xx.xxx.xxx.179 eq smtp
access-list acl_out deny tcp any any eq aol
access-list acl_out deny tcp any 66.77.49.128 255.255.255.192 eq www
access-list acl_out deny tcp any 66.77.49.0 255.255.255.0 eq www
access-list acl_out deny tcp any 66.77.49.0 255.255.255.0
access-list Pix1 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Pix2 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Pix3 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 100 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list acl_inside deny tcp any any eq 554
access-list acl_inside deny udp any any eq 1755
access-list acl_inside deny udp any any eq 554
access-list acl_inside deny tcp any any eq 10000
access-list acl_inside deny udp any any eq 10000
access-list acl_inside deny tcp any any eq 7000
access-list acl_inside deny udp any any eq 7000
access-list acl_inside permit tcp any 192.168.162.0 255.255.255.0 eq 1288
access-list acl_inside deny tcp any any eq aol
access-list acl_inside deny tcp any 66.77.49.0 255.255.255.0 eq www
access-list acl_inside deny tcp any 66.77.49.0 255.255.255.0
access-list outbound deny tcp any 128.121.4.0 255.255.255.0 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.178 255.255.255.248
ip address inside 192.168.162.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.181 192.168.162.92 netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.179 192.168.162.4 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set md53des esp-3des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address Pix1
crypto map vpnmap 10 set peer xx.xxx.xxx.194
crypto map vpnmap 10 set transform-set md53des
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address Pix2
crypto map vpnmap 20 set peer xx.xxx.xxx.186
crypto map vpnmap 20 set transform-set md53des
crypto map vpnmap 30 ipsec-isakmp
crypto map vpnmap 30 match address Pix3
crypto map vpnmap 30 set peer xx.xxx.xxx.202
crypto map vpnmap 30 set transform-set md53des
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.xxx.194 netmask 255.255.255.255
isakmp key ******** address xx.xxx.xxx.186 netmask 255.255.255.255
isakmp key ******** address xx.xxx.xxx.202 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.162.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:c0b0c7786a724a9622ea13b65888d10c
: end

 

[karmic]

hmmm... first of all i'm not the best with the pix but I don't see your access-lists tied to any group statements. Maybe i'm wrong but... Have a read.

http://www.tek-tips.com/faqs.cfm?fid=2881

To confirm, see if you can find another terminal server besides the one you're allowing and try to hit it with RDP.



~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[Supergrrover]

whois lookup for sirius.com was 66.77.49.128 - 66.77.49.191, also listed was 63.236.98.168. They can have multiple servers and load balancing or round robin DNS.


access-list acl_inside deny ip any 66.77.49.128 255.255.255.192
access-list acl_inside deny ip any 63.236.98.168 255.255.255.255
access-list acl_inside deny tcp any any eq 554
access-list acl_inside deny udp any any eq 1755
access-list acl_inside deny udp any any eq 554
access-list acl_inside deny tcp any any eq 10000
access-list acl_inside deny udp any any eq 10000
access-list acl_inside deny tcp any any eq 7000
access-list acl_inside deny udp any any eq 7000
access-list acl_inside permit tcp any 192.168.162.0 255.255.255.0 eq 1288
access-list acl_inside deny tcp any any eq aol


access-list acl_out deny ip 66.77.49.128 255.255.255.192 xx.xxx.xxx.178 255.255.255.248
access-list acl_out deny ip 63.236.98.168 255.255.255.255 xx.xxx.xxx.178 255.255.255.248
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xx.xxx.xxx.181 eq 3389
access-list acl_out permit tcp 64.xxx.xx.xxx 255.255.240.0 host xx.xxx.xxx.179 eq smtp
access-list acl_out permit tcp any host xx.xxx.xxx.179 eq smtp
access-list acl_out deny tcp any any eq aol


access-group acl_inside in interface inside

The first block will deny outbound traffic destined for sirius, the second will not allow traffic originating from sirius. Either should work. ACL's are processed top down, so put it near the top.


Brent
Systems Engineer / Consultant
CCNP, CCSP