Inbound Connections Being Denied by ACL

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: atech PostPosted: Thu Oct 07, 2010 11:49 pm    Post subject: Inbound Connections Being Denied by ACL
    ----
Hello,

I'm trying to allow some specific traffic from the outside interface to a server on the inside interface on specific ports. I've configured some static NAT rules with the proper ports as well as an ACL to allow that traffic through. I keep getting denied by 'access-group outside_access_in in interface outside' though. While watching the log during an attempted connection from a remote computer, I can see the connection being denied by that specific ACL. Here are some specific details. I'm just not sure whether I need that 'access-group' line or what the ramifications would be if i removed it. It seems to be a default configuration as I don't ever remember adding that line.

Inside Server:
PAServer - 192.168.2.200
Ports - TCP/8222 and TCP/8333

Here is the running config.

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewallpa
domain-name xxxxxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 LAN
name xxxxxx outside
name 192.168.1.0 CorporateLAN
name 10.1.1.0 DMZ
name 192.168.2.200 PAServer
object-group service VMWareWeb tcp
port-object range 8333 8333
port-object range 8222 8222
object-group service PasvFTP tcp
port-object range 49152 50000
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 DMZ 255.255.255.0
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 CorporateLAN 255.255.255.0
access-list outside_cryptomap_20 permit ip LAN 255.255.255.0 DMZ 255.255.255.0
access-list outside_cryptomap_20 permit ip LAN 255.255.255.0 CorporateLAN 255.255.255.0
access-list outside_access_in permit tcp any object-group VMWareWeb interface outside object-group VMWareWeb log
access-list outside_access_in permit icmp DMZ 255.255.255.0 LAN 255.255.255.0
pager lines 24
logging on
no logging message 106015
no logging message 302015
no logging message 302014
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside xxxxxx 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Attack attack action drop
ip audit interface outside Attack
ip audit info action alarm
ip audit attack action alarm
pdm location DMZ 255.255.255.0 outside
pdm location CorporateLAN 255.255.255.0 outside
pdm location xxxxxx 255.255.255.255 outside
pdm location PAServer 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8222 PAServer 8222 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8333 PAServer 8333 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.204.95.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 208.75.88.4 source outside prefer
http server enable
http xxxxxx 255.255.255.255 outside
http LAN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxxxxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet xxxxxx 255.255.255.255 outside
telnet CorporateLAN 255.255.255.0 outside
telnet LAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd dns 192.168.1.13 68.94.156.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxxxxxxx
dhcpd enable inside
username xxxxxx password xxxxxxxx encrypted privilege 15
username xxxxxx password xxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxxx
: end
[OK]

Any help would be greatly appreciated.

Thanks

Author: Sgt_BLocation: Chicago, IL US PostPosted: Fri Oct 08, 2010 3:01 pm    Post subject:
    ----
Code:
access-list outside_access_in permit tcp any object-group VMWareWeb interface outside object-group VMWareWeb log

Your ACL is wrong here.
Format is:
access-list <ACL name> <permit|deny> <protocol> <src host> <src port> <dst host|interface> <dst port>

So your ACL reads as follows:
Permit a TCP packet from any host with a source port of 8222 or 8333 to the firewalls outside interface with a destination port of 8222 or 8333.

See the issue?

External traffic that attempts to connect to the PIX interface on ports 8222 or 8333 will not have a source port of 8222 or 8333. Instead they will utilize an ephemeral port (usually 1024-65535). Now you don't have to add that port range. Instead just remove the access control element and replace it with this:
Code:
access-list outside_access_in permit tcp any any interface outside object-group VMWareWeb log


This ACL will never trigger either:
Code:
access-list outside_access_in permit icmp DMZ 255.255.255.0 LAN 255.255.255.0

This ACL is intended to allow hosts on the DMZ network to send ICMP traffic to hosts on the LAN network. However, this ACL is bound to the outside interface. Therefore it will not work as intended as the outside interface may never see this type of traffic...and certainly not from your DMZ.

This brings me to access-groups. Access-groups are there to bind access-lists to specific interfaces. So you create an ACL thats designed to filter traffic from the Internet to internal hosts. Once you finish the ACL you bind it to the interface through the access-group command.

Another quick note, looks like this PIX is bigger than a 501 so you may want to consider upgrading to IOS 7.x (not sure if PIX supports any 8.x IOS though).



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group