Prev: 00-00-00-00-00-00
Next: BGP issues
From: PL on 26 Jun 2008 19:12
Trying to block access from "inside" to "dmz1"...

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz1
security-level 2
ip address 192.168.2.1 255.255.255.0
!
access-list acl_outgoing extended deny ip any 192.168.2.0
255.255.255.0
access-list acl_outgoing extended permit ip any any
!
access-group acl_outgoing in interface inside

Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??
From: Barry Margolin on 26 Jun 2008 22:07
In article <o58864tav2utkmnqog2082clf7pd18qmn5(a)4ax.com>,
PL <plecki3(a)eagency.com> wrote:

> Trying to block access from "inside" to "dmz1"...
>
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/2
> nameif dmz1
> security-level 2
> ip address 192.168.2.1 255.255.255.0
> !
> access-list acl_outgoing extended deny ip any 192.168.2.0
> 255.255.255.0

That should be 0.0.0.255.

> access-list acl_outgoing extended permit ip any any
> !
> access-group acl_outgoing in interface inside
>
> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??

Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
netmask instead of a wildcard mask.

--
Barry Margolin, barmar(a)alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
From: "Andrew Lutov" andrew_l on 26 Jun 2008 22:16
Hello, PL!

P> interface Ethernet0/1
P> nameif inside
P> security-level 100
P> ip address 192.168.1.1 255.255.255.0
P> !
P> interface Ethernet0/2
P> nameif dmz1
P> security-level 2
P> ip address 192.168.2.1 255.255.255.0
P> !
P> access-list acl_outgoing extended deny ip any 192.168.2.0
P> 255.255.255.0
P> access-list acl_outgoing extended permit ip any any
P> !
P> access-group acl_outgoing in interface inside


ASA ?

--
�5 �������� �2 ��


From: "Andrew Lutov" andrew_l on 26 Jun 2008 22:21
Hello, Barry!

??>> Trying to block access from "inside" to "dmz1"...
??>>
??>> interface Ethernet0/1
??>> nameif inside
??>> security-level 100
??>> ip address 192.168.1.1 255.255.255.0
??>> !
??>> interface Ethernet0/2
??>> nameif dmz1
??>> security-level 2
??>> ip address 192.168.2.1 255.255.255.0
??>> !
??>> access-list acl_outgoing extended deny ip any 192.168.2.0
??>> 255.255.255.0

BM> That should be 0.0.0.255.

??>> access-list acl_outgoing extended permit ip any any
??>> !
??>> access-group acl_outgoing in interface inside
??>>
??>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??

BM> Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
BM> netmask instead of a wildcard mask.


asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 ?

configure mode commands/options:
A.B.C.D Netmask for source IP address
asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1

--


From: Barry Margolin on 26 Jun 2008 22:30
In article <g41irr$2oda$1(a)relay2.usurt.ru>,
"Andrew Lutov" <andrew_l @ newmail.ru> wrote:

> Hello, Barry!
>
> ??>> Trying to block access from "inside" to "dmz1"...
> ??>>
> ??>> interface Ethernet0/1
> ??>> nameif inside
> ??>> security-level 100
> ??>> ip address 192.168.1.1 255.255.255.0
> ??>> !
> ??>> interface Ethernet0/2
> ??>> nameif dmz1
> ??>> security-level 2
> ??>> ip address 192.168.2.1 255.255.255.0
> ??>> !
> ??>> access-list acl_outgoing extended deny ip any 192.168.2.0
> ??>> 255.255.255.0
>
> BM> That should be 0.0.0.255.
>
> ??>> access-list acl_outgoing extended permit ip any any
> ??>> !
> ??>> access-group acl_outgoing in interface inside
> ??>>
> ??>> Why am I still able to access host 192.168.2.2 from 192.168.1.7 ??
>
> BM> Your ACL blocks access to X.X.X.0, not 192.168.2.X, because you used a
> BM> netmask instead of a wildcard mask.
>
>
> asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1 ?
>
> configure mode commands/options:
> A.B.C.D Netmask for source IP address
> asa5510(config)# access-list FromOutside extended permit tcp 1.1.1.1

You didn't say what model it was earlier, I thought it was an IOS
router. IOS uses wildcard masks, which are the complement of netmasks.

--
Barry Margolin, barmar(a)alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
 |  Next  |  Last
Pages: 1 2
Prev: 00-00-00-00-00-00
Next: BGP issues