Make sense of access-list rules

[jhoop2002]

I have these three rules in my access-list that I can't really determine what they do. They are important (as deleting them causes no internet access), but I don't understand what they are doing.

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.169.1.0 255.255.255.0 (hitcnt=0)
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0 (hitcnt=0)
access-list 102 permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)

Our PIX is the default gateway of the network, if you need to see the entire config let me know.

 

[NetworkGhost]

Need the entire config.

http://www.wr-mem.com

 

[jhoop2002]

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password VGxIgnsHeMIGk/fG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX515
domain-name ----.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any
access-list 100 permit tcp any host 192.168.0.223 eq www
access-list 100 permit tcp any host 192.168.0.220 eq www
access-list 100 permit tcp any host 192.168.0.222 eq www
access-list 100 permit tcp any host 192.168.0.221 eq www
access-list 100 permit tcp any host 192.168.0.224 eq www
access-list 100 permit tcp any host 192.168.0.249 eq www
access-list 100 permit tcp any host 192.168.0.249 eq 1494
access-list 100 permit tcp any host 192.168.0.249 eq 1604
access-list 100 permit tcp any host 192.168.0.146 eq www
access-list 100 permit tcp any host 192.168.0.225 eq www
access-list 100 permit tcp any host 192.168.0.220 eq 443
access-list 100 permit tcp host 64.49.254.161 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 69.20.58.226 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 69.20.68.133 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 207.97.224.142 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 69.20.60.122 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 69.20.58.234 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 207.97.229.125 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 207.97.230.34 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 207.97.230.54 host 192.168.0.230 eq smtp
access-list 100 permit tcp host 212.100.247.159 host 192.168.0.230 eq smtp
access-list 100 permit tcp any host 192.168.0.230 eq www
access-list 100 permit tcp any host 192.168.0.230 eq 143
access-list 100 permit tcp any host 192.168.0.230 eq 5900
access-list 100 permit tcp any host 192.168.0.230 eq 443
access-list 100 permit tcp any host 192.168.0.230 eq 587
access-list 100 permit tcp any host 192.168.0.253 eq www
access-list 100 permit tcp any host 192.168.0.230 eq 3389
access-list 100 permit tcp host 192.168.0.230 host 192.168.1.230 eq ftp
access-list 100 permit tcp any host 192.168.0.230 eq ftp
access-list 100 permit tcp any host 192.168.0.249 eq 443
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.169.1.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list 102 permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.0.168 255.255.255.0
ip address inside 192.168.1.168 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.0.200
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.223 192.168.1.223 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.220 192.168.1.220 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.222 192.168.1.222 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.221 192.168.1.221 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.224 192.168.1.224 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.253 192.168.1.253 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.249 192.168.1.249 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.146 192.168.1.146 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.225 192.168.1.225 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.230 192.168.1.230 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.94 /
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 102
crypto map transam 1 set peer 198.70.146.182
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key superman address 198.70.146.182 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
vpdn username ----- password -----
vpdn username ----- password -----
vpdn enable outside
terminal width 80
Cryptochecksum:76069bd9ad47dac5236ab7cf59d3575a
: end

 

[NetworkGhost]

Those lines are for your identity nat and match address for VPN tunnel.

Not sure why you are doing identity nat for your own subnet:

nat (inside) 0 access-list 101
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.169.1.0 255.255.255.0 (hitcnt=0)

Probably not getting used.

The match address below is for the VPN. The config doesnt make much sense though. One of the lines are needed.

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0 (hitcnt=0)
access-list 102 permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0)


Do you even use the VPN tunnel?

http://www.wr-mem.com

 

[jhoop2002]

we used too (way before my time), but have sensed moved to citrix for remote access.

I figured those lines were for the vpn, and therefore removed them. But then I couldn't get out to the internet and that really puzzled me

Here is a simple diagram of my network

subnet 192.168.1.0 (all printers, desktops, servers)
pix (192.168.1.168) - default gateway
fatpipe (192.168.0.1) - routes connections over multiple internet links.

so I could remove nat 0 and 1, and then access-list 101 and 102?

 

[NetworkGhost]

Remove this line first:

no nat (inside) 0 access-list 101

then this one:

no access-list 101 permit ip 192.168.1.0 255.255.255.0 192.169.1.0 255.255.255.0


Then:

no crypto map transam 1 match address 102
no access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0
no access-list 102 permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0

http://www.wr-mem.com

 

[NetworkGhost]

Ah, ok. I didnt see the 169 part of the 192 address. Just do like I said above. You should be good to go.

http://www.wr-mem.com