Advertisement

02.21.2007 at 10:44AM PST, ID: 22404314
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.6

Using multiple ACLs on outside interface

Asked by krais99 in Cisco PIX Firewall, Networking Hardware Firewalls

Tags: , ,

I currently have a PIX 506e that I inherited from a previous systems admin at the office.  I would like to clean up the rules that are currently in place for better organization.  I know that you can use the command: "access-list outside_in remark Web Traffic" to denote seperate areas of the ACL for organizing them, however, this is pretty limited as the ACL does not automatically insert new lines into these remark areas and the only way that I've found to do this is to use Textpad or similar to create a sort of script that first removes the ACL, then re-adds it..  My list is fairly long and this quickly becomes a hassle to do. Below is a sample of my ACL and what I have to do to maintain the organization:

access-list outside_in remark IMPLICIT DENIALS
access-list outside_in deny tcp 208.xxx.xxx.0 255.255.248.0 any
access-list outside_in deny tcp host 69.xxx.xxx.106 any
access-list outside_in deny udp host 69.xxx.xxx.106 any
access-list outside_in deny icmp host 69.xxx.xxx.106 any
access-list outside_in deny tcp 63.xxx.xxx.0 255.255.255.0 any
access-list outside_in deny ip 63.xxx.xxx.0 255.255.255.0 any
access-list outside_in remark WEB SITE AND FTP ACCESS
access-list outside_in permit tcp any host 64.xxx.xxx.73 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.74 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.75 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.76 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.77 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.73 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.74 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.75 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.76 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.77 eq https
access-list outside_in remark VPN ACCESS
access-list outside_in permit gre any any
access-list outside_in permit tcp any host 64.xxx.xxx.72 eq pptp
access-list outside_in permit udp any host 64.xxx.xxx.72 eq isakmp

In order to add a line into any of those portions of the ACL from the PIX, I have to do a blanket no access-list outside_in, add the new line into the correct portion of the ACL, then re-add the ACL to the PIX.  For example, if I want to add the lines  "access-list outside_in permit tcp any host 64.xxx.xxx.78 www" and "access-list outside_in permit tcp any host 64.xxx.xxx.78 https" into my web site traffic portion, I have to do this:

no access-list outside_in remark IMPLICIT DENIALS
no access-list outside_in deny tcp 208.xxx.xxx.0 255.255.248.0 any
no access-list outside_in deny tcp host 69.xxx.xxx.106 any
no access-list outside_in deny udp host 69.xxx.xxx.106 any
no access-list outside_in deny icmp host 69.xxx.xxx.106 any
no access-list outside_in deny tcp 63.xxx.xxx.0 255.255.255.0 any
no access-list outside_in deny ip 63.xxx.xxx.0 255.255.255.0 any
no access-list outside_in remark WEB SITE AND FTP ACCESS
no access-list outside_in permit tcp any host 64.xxx.xxx.73 eq www
no access-list outside_in permit tcp any host 64.xxx.xxx.74 eq www
no access-list outside_in permit tcp any host 64.xxx.xxx.75 eq www
no access-list outside_in permit tcp any host 64.xxx.xxx.76 eq www
no access-list outside_in permit tcp any host 64.xxx.xxx.77 eq www
no access-list outside_in permit tcp any host 64.xxx.xxx.73 eq https
no access-list outside_in permit tcp any host 64.xxx.xxx.74 eq https
no access-list outside_in permit tcp any host 64.xxx.xxx.75 eq https
no access-list outside_in permit tcp any host 64.xxx.xxx.76 eq https
no access-list outside_in permit tcp any host 64.xxx.xxx.77 eq https
no access-list outside_in remark VPN ACCESS
no access-list outside_in permit gre any any
no access-list outside_in permit tcp any host 64.xxx.xxx.72 eq pptp
no access-list outside_in permit udp any host 64.xxx.xxx.72 eq isakmp

access-list outside_in remark IMPLICIT DENIALS
access-list outside_in deny tcp 208.xxx.xxx.0 255.255.248.0 any
access-list outside_in deny tcp host 69.xxx.xxx.106 any
access-list outside_in deny udp host 69.xxx.xxx.106 any
access-list outside_in deny icmp host 69.xxx.xxx.106 any
access-list outside_in deny tcp 63.xxx.xxx.0 255.255.255.0 any
access-list outside_in deny ip 63.xxx.xxx.0 255.255.255.0 any
access-list outside_in remark WEB SITE AND FTP ACCESS
access-list outside_in permit tcp any host 64.xxx.xxx.73 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.74 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.75 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.76 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.77 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.78 eq www
access-list outside_in permit tcp any host 64.xxx.xxx.73 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.74 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.75 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.76 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.77 eq https
access-list outside_in permit tcp any host 64.xxx.xxx.78 eq www
access-list outside_in remark VPN ACCESS
access-list outside_in permit gre any any
access-list outside_in permit tcp any host 64.xxx.xxx.72 eq pptp
access-list outside_in permit udp any host 64.xxx.xxx.72 eq isakmp
access-group outside_in in interface outside

While this is a small example, you get the idea..  is there any way to seperate these portions of the ACL into completely seperate ACLs and still have them applied to the external interface?  Such as:

access-list outside_in_denials remark IMPLICIT DENIALS
.
.
.
.
access-list outside_in_web remark WEB SITE AND FTP ACCESS
.
.
.
access-list outside_in_vpn remark VPN ACCESS
.
.
.
access-group outside_in_denials in interface outside
access-group outside_in_web in interface outside
access-group outside_in_vpn in interface outsideStart Free Trial
 
Keywords: Using multiple ACLs on outside interface
Title
1 Cisco PIX site to multi-site VPN ACLs …
2 ASA 5510/PIX ACLs for site to site…
3 PIX to PIX VPN ACL
4 pix VPN
5 PIX VPN -> Limiting VPN users acces…
6 Pix ACL
 
Loading Advertisement...
 
[+][-]02.21.2007 at 11:09AM PST, ID: 18581101

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Networking Hardware Firewalls
Tags: gre, outside_in, permit
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 2
Solution Grade: A
 
 
[+][-]02.21.2007 at 02:34PM PST, ID: 18582916

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]02.21.2007 at 02:41PM PST, ID: 18582971

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32