Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Can someone suggest a good information site for ACL coding 5
- Thread starter ajinc
- Start date
Sorry, couldn't help it.
"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
-
5
- #3
This will be very easy..
1) Every ACL command starts with "Access-list".
Command Thus far: "Access-list"
2) Every ACL must have a group name, to group the list together. We'll use "test".
Command Thus far: "Access-list test"
3) Every ACL command must specify whether to permit or deny. For this example, we'll use "deny".
Command Thus far: "access-list test deny"
4) Every ACL must specify what protocol to filter by. IP, TCP, UDP, etc.. We'll use "IP" for this.
Command Thus far: "access-list test deny ip"
5) Every ACL must specify what addresses to apply the filter to. Remember that the first address listed is ALWAYS the SOURCE address. Now let's also assume our Network Admin hates google, and is paranoid.. so he wants to block all access he thinks google is trying to make to his system..
Command Thus far: "access-list test deny ip 64.233.167.147 255.255.255.255"
Note: You use 255.255.255.255 to specify that we are dealing with one host. You can also use the following command to shorten the ACL further:
Command Thus far: "access-list test deny ip host 64.233.167.147"
Note: This method reduces characters used, and helps make the command more understandable, as you are blocking that one host.
6) Every ACL must also specify the hosts to which the source is trying to reach.. we'll assume we have multiple networks inside our network.. 193.100.1.0 and 193.100.4.0
Command thus far: "access-list test deny ip host 64.233.167.147 193.100.0.0 255.255.0.0
Note: This will effectively block google from making a connection to both networks, and all networks between and after on that network.. to shorten that up, you can use the following to block google from making connections to "ALL or ANY networks" inside.
Completed ACL Command: "access-list test deny ip host 64.233.167.147 any"
Note: As you notice, this reduced characters dramatically, and effectively blocks the host google from connection to ANY node or network on any interface connected to the PIX.
7) Now, if you wanted to filter by port #, say port 80, as every paranoid Network Admin knows.. when google reaches out to hack you, it will only do so on port 7485.. and using TCP of course.. here is what it would look like.
Completed ACL Command: "access-list test deny tcp host 64.233.167.147 any eq 7485
Note: As you notice, we added "eq" to the equation. This indicator tells the PIX that the next modifier is the port to filter on.
8) And then of course, you must bind the access-list to an interface..
Command: "access-group test in interface outside"
Note: This command binds access-list test to all traffic coming into the outside interface. The command will always be the same, except the access-list name and interface.. always into an interface"
I hope this helps!
Lloyd Severence
Computer/Network Technician
CCNA
1) Every ACL command starts with "Access-list".
Command Thus far: "Access-list"
2) Every ACL must have a group name, to group the list together. We'll use "test".
Command Thus far: "Access-list test"
3) Every ACL command must specify whether to permit or deny. For this example, we'll use "deny".
Command Thus far: "access-list test deny"
4) Every ACL must specify what protocol to filter by. IP, TCP, UDP, etc.. We'll use "IP" for this.
Command Thus far: "access-list test deny ip"
5) Every ACL must specify what addresses to apply the filter to. Remember that the first address listed is ALWAYS the SOURCE address. Now let's also assume our Network Admin hates google, and is paranoid.. so he wants to block all access he thinks google is trying to make to his system..
Command Thus far: "access-list test deny ip 64.233.167.147 255.255.255.255"
Note: You use 255.255.255.255 to specify that we are dealing with one host. You can also use the following command to shorten the ACL further:
Command Thus far: "access-list test deny ip host 64.233.167.147"
Note: This method reduces characters used, and helps make the command more understandable, as you are blocking that one host.
6) Every ACL must also specify the hosts to which the source is trying to reach.. we'll assume we have multiple networks inside our network.. 193.100.1.0 and 193.100.4.0
Command thus far: "access-list test deny ip host 64.233.167.147 193.100.0.0 255.255.0.0
Note: This will effectively block google from making a connection to both networks, and all networks between and after on that network.. to shorten that up, you can use the following to block google from making connections to "ALL or ANY networks" inside.
Completed ACL Command: "access-list test deny ip host 64.233.167.147 any"
Note: As you notice, this reduced characters dramatically, and effectively blocks the host google from connection to ANY node or network on any interface connected to the PIX.
7) Now, if you wanted to filter by port #, say port 80, as every paranoid Network Admin knows.. when google reaches out to hack you, it will only do so on port 7485.. and using TCP of course.. here is what it would look like.
Completed ACL Command: "access-list test deny tcp host 64.233.167.147 any eq 7485
Note: As you notice, we added "eq" to the equation. This indicator tells the PIX that the next modifier is the port to filter on.
8) And then of course, you must bind the access-list to an interface..
Command: "access-group test in interface outside"
Note: This command binds access-list test to all traffic coming into the outside interface. The command will always be the same, except the access-list name and interface.. always into an interface"
I hope this helps!
Lloyd Severence
Computer/Network Technician
CCNA
- Thread starter
- #5
- Thread starter
- #7
LloydSev,
Could I bother you for your thoughts on how to troubleshoot a connection problem?
I have the cisco 4.6 client conecting to the PIX, and I can map drives, remote desktop , oulook web access etc. all is good.
My problem is that I have to get this to work with the safenet softremote client v9. this client is very similar to the cisco client v.1
I have the safenet client connecting, but I can only ping the inside interface of the PIX, 192.169.2.1, I can't hit any other internal ip's, or anything else.
Also I use the safenet client on my pc to connect to a dlink vpn endpoint. When the PIX is on my network
dsl modem --> PIX --> LAN (ethernet switch)
The safenet client can't connect to my endpoint.
If I have the
dsl modem ----> LAN (ethernet switch) using the verizon pppoe dialer to connect ot the net I connect fine.
I can't figure out why the PIX would block my safenet client from connecting to my dlink endpoint I'm just passsing thru the pix, or so I thought.
As far as getting the safenet client to connect to the PIX endpoint, if the cisco client works fine I am assuming that my problem is on the safenet client side, but I can't figure out what could be holding me up. I know most users here user the cisco client, and I see why (it works). But if there is any idea you can give me I'd appreciate it greatly!
Below is my config
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0
access-list OUTSIDE_IN permit icmp any any
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
access-list split permit ip 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.169.2.2
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.169.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool kgcpa 10.10.10.1-10.10.10.10
pdm location 192.169.2.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.169.2.0 255.255.255.0 0 0
access-group OUTSIDE_IN in interface outside
route inside 10.10.10.0 255.255.255.0 192.169.2.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 129.6.15.28 source outside prefer
http server enable
http 192.169.2.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set pfs group2
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup kgcpaipsec address-pool kgcpa
vpngroup kgcpaipsec dns-server 192.169.2.2
vpngroup kgcpaipsec default-domain ajinc.local
vpngroup kgcpaipsec split-tunnel split
vpngroup kgcpaipsec pfs
vpngroup kgcpaipsec idle-time 1800
vpngroup kgcpaipsec max-time 86400
vpngroup kgcpaipsec password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname fye2q563
vpdn group pppoe_group ppp authentication pap
vpdn username fye2q563 password *********
dhcpd address 192.169.2.10-192.169.2.41 inside
dhcpd dns 192.169.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ajinc.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Could I bother you for your thoughts on how to troubleshoot a connection problem?
I have the cisco 4.6 client conecting to the PIX, and I can map drives, remote desktop , oulook web access etc. all is good.
My problem is that I have to get this to work with the safenet softremote client v9. this client is very similar to the cisco client v.1
I have the safenet client connecting, but I can only ping the inside interface of the PIX, 192.169.2.1, I can't hit any other internal ip's, or anything else.
Also I use the safenet client on my pc to connect to a dlink vpn endpoint. When the PIX is on my network
dsl modem --> PIX --> LAN (ethernet switch)
The safenet client can't connect to my endpoint.
If I have the
dsl modem ----> LAN (ethernet switch) using the verizon pppoe dialer to connect ot the net I connect fine.
I can't figure out why the PIX would block my safenet client from connecting to my dlink endpoint I'm just passsing thru the pix, or so I thought.
As far as getting the safenet client to connect to the PIX endpoint, if the cisco client works fine I am assuming that my problem is on the safenet client side, but I can't figure out what could be holding me up. I know most users here user the cisco client, and I see why (it works). But if there is any idea you can give me I'd appreciate it greatly!
Below is my config
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0
access-list OUTSIDE_IN permit icmp any any
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
access-list split permit ip 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.169.2.2
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.169.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool kgcpa 10.10.10.1-10.10.10.10
pdm location 192.169.2.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.169.2.0 255.255.255.0 0 0
access-group OUTSIDE_IN in interface outside
route inside 10.10.10.0 255.255.255.0 192.169.2.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 129.6.15.28 source outside prefer
http server enable
http 192.169.2.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set pfs group2
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup kgcpaipsec address-pool kgcpa
vpngroup kgcpaipsec dns-server 192.169.2.2
vpngroup kgcpaipsec default-domain ajinc.local
vpngroup kgcpaipsec split-tunnel split
vpngroup kgcpaipsec pfs
vpngroup kgcpaipsec idle-time 1800
vpngroup kgcpaipsec max-time 86400
vpngroup kgcpaipsec password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname fye2q563
vpdn group pppoe_group ppp authentication pap
vpdn username fye2q563 password *********
dhcpd address 192.169.2.10-192.169.2.41 inside
dhcpd dns 192.169.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ajinc.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
here is an idea from SafeNet
Also, to PPTP or IPSec VPN through the PIX would require setting up pass-through on it... I haven't seen the documentation for such, so I do not know how to set that up. Although port forwarding port 500 for IPSec would be a start...
Computer/Network Technician
CCNA
Also, to PPTP or IPSec VPN through the PIX would require setting up pass-through on it... I haven't seen the documentation for such, so I do not know how to set that up. Although port forwarding port 500 for IPSec would be a start...
Computer/Network Technician
CCNA
- Thread starter
- #9
WOW...
I looked on the safenet sight, and didn't find an info.. I guess a fresh pair of eyes is what I needed!
I will try this advice, thanks for the info.
BTW
When i try to ping from the safenet client my syslog displays this
05-10-2005 12:56:43 Local4.Error 192.169.2.1 May 10 2005 12:55:00: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
05-10-2005 12:56:38 Local4.Error 192.169.2.1 May 10 2005 12:54:55: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
05-10-2005 12:56:33 Local4.Error 192.169.2.1 May 10 2005 12:54:50: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
05-10-2005 12:56:28 Local4.Error 192.169.2.1 May 10 2005 12:54:44: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
Does this mean I have a config issue?
Thanks.
I looked on the safenet sight, and didn't find an info.. I guess a fresh pair of eyes is what I needed!
I will try this advice, thanks for the info.
BTW
When i try to ping from the safenet client my syslog displays this
05-10-2005 12:56:43 Local4.Error 192.169.2.1 May 10 2005 12:55:00: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
05-10-2005 12:56:38 Local4.Error 192.169.2.1 May 10 2005 12:54:55: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
05-10-2005 12:56:33 Local4.Error 192.169.2.1 May 10 2005 12:54:50: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
05-10-2005 12:56:28 Local4.Error 192.169.2.1 May 10 2005 12:54:44: %PIX-3-305005: No translation group found for icmp src outside:152.198.174.229 dst inside:192.169.2.2 (type 8, code 0)
Does this mean I have a config issue?
Thanks.
Another great trick about ACL in the following URL:
- Thread starter
- #13
- Status
Similar threads
- Locked
- Question
- Locked
- Question