Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring Access lists on a PIX 525.

Status
Not open for further replies.
tdoma

tdoma

IS-IT--Management
Aug 13, 2003
94
US
I am trying to add a line to the following access list:

access-list inside_access_out permit tcp any any eq www
access-list inside_access_out permit tcp any any eq https
access-list inside_access_out permit tcp host ATLMail-int any eq smtp
access-list inside_access_out permit tcp host ATLRelay-int any eq smtp
access-list inside_access_out permit tcp host 192.16.206.5 any eq smtp
access-list inside_access_out permit tcp any any eq ftp
access-list inside_access_out permit tcp any any eq 3389
access-list inside_access_out permit udp host ATLGCS2-int any eq domain
access-list inside_access_out permit udp host ATLGCS1-int any eq domain
access-list inside_access_out permit tcp any any range 1025 1050
access-list inside_access_out permit tcp any any eq 2492
access-list inside_access_out permit udp 192.168.9.0 255.255.255.0 any eq 17479
access-list inside_access_out permit udp host Juan-int host Care-Internet-E0 eq
snmp
access-list inside_access_out permit udp host Juan-int host Care-Internet-E0 eq
snmptrap
access-list inside_access_out permit udp host Juan-int host Care-Internet2-FE0 e
q snmp
access-list inside_access_out permit udp host Juan-int host Care-Internet2-FE0 e
q snmptrap
access-list inside_access_out permit tcp host Juan-int host ATLSMTP-dmz eq 135
access-list inside_access_out permit tcp host Juan-int any eq aol
access-list inside_access_out permit tcp any any eq 6129
access-list inside_access_out permit gre host CareVPN2-int any
access-list inside_access_out permit icmp any any
access-list inside_access_out permit udp host NYGCS any eq domain
access-list inside_access_out permit udp host WASHGC any eq domain
access-list inside_access_out permit udp host ChICAGOGC any eq domain
access-list inside_access_out permit tcp host ATLSiteProtect-int 192.168.200.0 2
55.255.255.0 eq 2998
access-list inside_access_out permit tcp host ATLSiteProtect-int 192.168.200.0 2
55.255.255.0 eq 902
access-list inside_access_out permit tcp host NYEmail any eq smtp
access-list inside_access_out permit udp host Portfolio-int host ATLPortal1-dmz
eq isakmp
access-list inside_access_out permit esp host Portfolio-int host ATLPortal1-dmz
access-list inside_access_out permit ah host Portfolio-int host ATLPortal1-dmz
access-list inside_access_out permit tcp host ATLContent-int host ATLPortal1-dmz
eq ftp
access-list inside_access_out permit tcp host ATLContent-int host ATLPortal1-dmz
eq ftp-data
access-list inside_access_out permit esp host ATLContent-int host ATLPortal1-dmz

access-list inside_access_out permit ah host ATLContent-int host ATLPortal1-dmz
access-list inside_access_out permit tcp host ATLContent-int host ATLPortal1-dmz
eq 7087
access-list inside_access_out permit tcp host ATLContent-int host ATLPortal1-dmz
eq 8080
access-list inside_access_out permit udp host ATLContent-int host ATLPortal1-dmz
eq isakmp
access-list inside_access_out permit tcp host ATLPortlet-int host ATLPortal1-dmz
eq www
access-list inside_access_out permit tcp host ATLPortlet-int host ATLPortal1-dmz
eq 15244
access-list inside_access_out permit tcp host Portfolio-int host ATLPortal1-dmz
eq 1433
access-list inside_access_out permit tcp host Cluster1 host ATLPortal1-dmz eq 14
33
access-list inside_access_out permit tcp host Apps-int host ATLPortal1-dmz eq 80
20
access-list inside_access_out permit tcp host ATLAuto-int host ATLPortal1-dmz eq
www
access-list inside_access_out permit tcp host ATLAuto-int host ATLPortal1-dmz eq
9887
access-list inside_access_out permit tcp host Intranet-int host ATLPortal1-dmz e
q www
access-list inside_access_out permit tcp host ATLMail-int any eq 3389
access-list inside_access_out permit ip any 172.16.0.0 255.255.0.0
access-list inside_access_out permit tcp any host ATLWebStats-int eq 8080
access-list inside_access_out permit tcp host Exchangeco-int any eq 102
access-list inside_access_out permit tcp 192.168.9.0 255.255.255.0 host ATLWebSe
rver1-dmz eq 445
access-list inside_access_out permit tcp host Exchangeco-int any eq smtp
access-list inside_access_out permit tcp host WadeIla-in host ATLWebServer1-dmz
eq 445
access-list inside_access_out permit tcp object-group FamOffice host 208.185.139
.243 eq pop3
access-list inside_access_out permit tcp host Langford-in host ATLTeamSite-dmz e
q 8081
access-list inside_access_out permit tcp object-group FamOffice host 208.185.139
.243 eq smtp
access-list inside_access_out permit udp host ATLSecLog-int any eq ntp
access-list inside_access_out permit tcp host 192.168.9.52 host 68.162.251.95 eq
8080
access-list inside_access_out permit tcp host Juan-int any eq telnet
access-list inside_access_out permit tcp 192.168.0.0 255.255.252.0 192.168.200.0
255.255.255.0 eq 445
access-list inside_access_out permit tcp host Exchangeco-int host ATLSMTP-dmz eq
1142
access-list inside_access_out permit tcp host Portfolio-int host ATLWebServer1-d
mz eq 1433
access-list inside_access_out permit udp host Portfolio-int host ATLWebServer1-d
mz eq isakmp
access-list inside_access_out permit udp host 192.168.100.5 any eq domain
access-list inside_access_out permit tcp 192.168.11.0 255.255.255.0 any eq 3076
access-list inside_access_out permit tcp 192.168.9.0 255.255.255.0 any eq 3076
access-list inside_access_out permit tcp host Juan-int any eq smtp
access-list inside_access_out permit tcp host Juan-int host ATLSMTP-dmz eq 1073
access-list inside_access_out permit tcp 192.168.9.0 255.255.255.0 host ATLPorta
l1-dmz eq 445
access-list inside_access_out permit tcp host 192.168.9.133 host 66.23.193.10 eq
8080
access-list inside_access_out permit tcp any host 203.200.89.80 eq 8080
access-list inside_access_out permit tcp host Langford-in host 64.94.12.51 eq 83
83
access-list inside_access_out permit tcp host 192.168.10.44 any eq pptp
access-list inside_access_out permit gre host 192.168.10.44 any
access-list inside_access_out permit tcp host 192.168.10.43 any eq pptp
access-list inside_access_out permit gre host 192.168.10.43 any
access-list inside_access_out permit tcp host 192.168.10.42 any eq pptp
access-list inside_access_out permit gre host 192.168.10.42 any
access-list inside_access_out permit tcp host 192.168.9.43 any eq pop3
access-list inside_access_out permit tcp host 192.168.9.43 any eq smtp
access-list inside_access_out permit tcp host 192.168.11.18 host 64.95.129.4 eq
2000
access-list inside_access_out permit tcp host 192.168.11.18 host 64.95.129.4 eq
2000
access-list inside_access_out permit udp host 192.168.11.18 host 64.95.129.4 eq
tftp
access-list inside_access_out permit tcp 192.168.10.0 255.255.255.0 any eq 3076
access-list inside_access_out permit tcp host 192.168.12.43 host 200.48.36.158 e
q 8000
access-list inside_access_out permit tcp 192.168.11.0 255.255.255.0 any eq 5223
access-list inside_access_out permit tcp host 192.168.9.52 host 151.197.177.118
eq 8080
access-list inside_access_out permit tcp any host 65.213.172.178 eq 5618
access-list inside_access_out permit tcp 192.168.11.0 255.255.255.0 host ATLWebS
tats-int eq 6667
access-list inside_access_out permit tcp 192.168.9.0 255.255.255.0 host 10.0.0.5
2 eq 445
access-list inside_access_out permit tcp 192.168.0.0 255.255.252.0 host 10.0.0.5
2 eq 445
access-list inside_access_out permit tcp 192.168.9.0 255.255.255.0 host 10.0.0.5
1 eq 445
access-list inside_access_out permit tcp 192.168.0.0 255.255.252.0 host 10.0.0.5
1 eq 445
access-list inside_access_out permit tcp host 192.168.0.89 host ATLWebServer1-dm
z range 2211 2299
access-list inside_access_out permit tcp host 192.168.0.89 host ATLPortal1-dmz r
ange 2211 2299
access-list inside_access_out permit udp host Cluster1 host ATLPortal1-dmz eq is
akmp
access-list inside_access_out permit esp host Cluster1 host ATLPortal1-dmz
access-list inside_access_out permit ah host Cluster1 host ATLPortal1-dmz
access-list inside_access_out permit tcp host Cluster1 host ATLWebServer1-dmz eq
1433
access-list inside_access_out permit udp host Cluster1 host ATLWebServer1-dmz eq
isakmp
access-list inside_access_out permit tcp 192.168.9.0 255.255.255.0 host 10.0.0.5
6 eq 445
access-list inside_access_out permit tcp 192.168.0.0 255.255.252.0 host 10.0.0.5
6 eq 445
access-list inside_access_out permit tcp host 192.168.10.49 host ATLWebServer1-d
mz eq 445
access-list inside_access_out permit udp host 192.168.0.25 host Care-Internet-E0
eq snmp
access-list inside_access_out permit udp host 192.168.0.25 host Care-Internet2-F
E0 eq snmp
access-list inside_access_out permit udp host 192.168.0.25 host 192.168.244.1 eq
snmp
access-list inside_access_out permit udp host 192.168.0.25 host 192.168.244.1 eq
snmp
access-list inside_access_out deny ip any any

Here is the config lines that I have tried to add:

No access-list inside_access_out deny ip any any

access-list inside_access_out permit tcp 192.168.10.0 255.255.255.0 host ATLWebServer1-dmz eq 445

access-list inside_access_out deny ip any any

access-group inside_access_out in interface outside

Unfortunately when I add the lines above to the Pix Firewall config, I have noticed that email flow from outside our organization stops coming in.
My question is what Am I doing wrong to the access lists?
 
Sort by date Sort by votes
When you typed your first line, the PIX saw no access-list inside_access_out. It removed the entire access-list. You can't remove individual lines from an access-list. You must copy and paste the access list to a text editor like notepad. Modify the access list in the text file. Remove the old access list from the PIX. Paste the new access list in it.
 
Upvote 0 Downvote
If I am understanding you correctly, after making the folowing change,

No access-list inside_access_out deny ip any any
access-list inside_access_out permit tcp 192.168.10.0 255.255.255.0 host ATLWebServer1-dmz eq 445
access-list inside_access_out deny ip any any
access-group inside_access_out in interface outside

if I did a sh run, the only part of access-list inside_access_out, I will see defined will be:
access-list inside_access_out permit tcp 192.168.10.0 255.255.255.0 host ATLWebServer1-dmz eq 445.
Is that correct?
If it is so, is there a way to just add the single line I am interested in, without having to re-define the rest of the access list?
Also do I need to prefix the rest of the statements that define the access list with 'NO' and then re-issue the statements?

Thank again.


 
Upvote 0 Downvote
You must remove the entire access-list and then edit it in a text editor. If not, the new lines will be added to the bottom. This will pose a problem since packets are inspected from the top of the access-list down to the bottom. Once the packet hits the deny ip any any, it will go no further.

1)copy access-list to text document and edit it
2)type no access-list inside_access_out
3)paste in the new edited access-list
4)make sure access-list is applied to the correct interface
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
340
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
421
acabezas2014
acabezas2014
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
266
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top