Solved

pix 515e access-list editing

Posted on 2004-10-05
7
1,472 Views
Last Modified: 2012-08-13
I need to add smtp and pptp to an existing pix setup on a 515e. Since the person who set it up put an implicit deny at the end that means I have to delete old access-list and create a new one. My question is is there anything in the config flie below that might create a problem editing. Also I'm I right that I have to delete old access-list recreate new one. PIX version 6.3. If I could the correct syntax I would appreciate it. All ips have been changed.


PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password kwT2Qyt5W3.IC3f6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname od-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list out_int permit tcp any host 10.10.10.135 eq www
access-list out_int deny ip any any
access-list in_int deny tcp any any eq 135
access-list in_int deny tcp any any eq 4444
access-list in_int deny udp any any eq tftp
access-list in_int permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit name check attack action alarm reset
ip audit interface outside check
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.16.1.10 netmask 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp .145 www 192.168.1.145 www netmask 255.255
.255.255 0 0
access-group out_int in interface outside
access-group in_int in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:442f27e0d1ac58ebc6a184aa05819643
: end
0
Comment
Question by:chetw18504
7 Comments
 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
you don't have to delete the whole access-list, just delete the line "no access-list out_int deny ip any any", then add the two lines you want, then add the deny line back in.

ps. in newer sw versions you assign line numbers to each rule, so you can insert a line more easily

also, I wouldn't allow outbound smtp for all pcs, since that just allows all of the email worms to do their thing. just let the mail server out on port 25.


0
 
LVL 3

Expert Comment

by:johnpitt
Comment Utility
Just as a suggestion: I really like using the web interface on the PIX. I know it doesn't set well with the die-hard Cisco crowd but if you have 100 other areas of responsibility it really helps make things easier. That is were I do my access list editing.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
It would be "implicit" if they *didn't* add that line.  Adding it makes it EXPLICIT instead.

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:chetw18504
Comment Utility
What is the syntax to delete one line? Also could somenone check the syntax below? The pix is in a production setting new job have never worked with pix. I need the easiest safest way to enable two ports below. I appreciate all help. Thank you.

syntax to delete one line? can't find it.
access-list out_int permit tcp any host 172.16.1.2 eq smtp
access-list out_int permit tcp any host 172.16.1.2 eq 1723 (pptp)
access-list out_int permit tcp any host 172.16.1.2 eq 47  (gre)
static (inside,outside) tcp 172.16.1.2 smtp 192.168.1.1 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 1723 192.168.1.145 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 47 192.168.1.145 47 netmask 255.255
.255.255 0 0
write memory
reload ( restart firewall this save to startup config?)
0
 
LVL 13

Expert Comment

by:mark-wa
Comment Utility
to delete a line, just add the word "no" (without quotes) to the beginning and type the rest of the line, for example:

no access-list out_int deny ip any any

This will delete the line:   access-list out_int deny ip any any

Then, add your entries that you need.

Mark
0
 

Author Comment

by:chetw18504
Comment Utility
Is my syntax for other commands correct? And do I have to restart the firewall at some time?
0
 
LVL 16

Accepted Solution

by:
JammyPak earned 250 total points
Comment Utility
no you don't have to restart, just do 'write mem' to save your changes

the other commands look fine to me...with one problem - GRE isn't TCP port 47, it's protocol 47

try this instead:
access-list out_int permit gre any host 172.16.1.2

also, as PennGwynn mentioned, it's probably best to just remove the 'deny' rule, and by default everything not specifically permitted will be denied...this makes things easier for you. I gave you the syntax for removing the deny line in my first post, using 'no'

HTH
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now