chetw18504
asked on
pix 515e access-list editing
I need to add smtp and pptp to an existing pix setup on a 515e. Since the person who set it up put an implicit deny at the end that means I have to delete old access-list and create a new one. My question is is there anything in the config flie below that might create a problem editing. Also I'm I right that I have to delete old access-list recreate new one. PIX version 6.3. If I could the correct syntax I would appreciate it. All ips have been changed.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password kwT2Qyt5W3.IC3f6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname od-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list out_int permit tcp any host 10.10.10.135 eq www
access-list out_int deny ip any any
access-list in_int deny tcp any any eq 135
access-list in_int deny tcp any any eq 4444
access-list in_int deny udp any any eq tftp
access-list in_int permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit name check attack action alarm reset
ip audit interface outside check
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.16.1.10 netmask 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp .145 www 192.168.1.145 www netmask 255.255
.255.255 0 0
access-group out_int in interface outside
access-group in_int in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:442f27e0d1a
: end
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password kwT2Qyt5W3.IC3f6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname od-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list out_int permit tcp any host 10.10.10.135 eq www
access-list out_int deny ip any any
access-list in_int deny tcp any any eq 135
access-list in_int deny tcp any any eq 4444
access-list in_int deny udp any any eq tftp
access-list in_int permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit name check attack action alarm reset
ip audit interface outside check
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.16.1.10 netmask 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp .145 www 192.168.1.145 www netmask 255.255
.255.255 0 0
access-group out_int in interface outside
access-group in_int in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:442f27e0d1a
: end
Just as a suggestion: I really like using the web interface on the PIX. I know it doesn't set well with the die-hard Cisco crowd but if you have 100 other areas of responsibility it really helps make things easier. That is were I do my access list editing.
It would be "implicit" if they *didn't* add that line. Adding it makes it EXPLICIT instead.
ASKER
What is the syntax to delete one line? Also could somenone check the syntax below? The pix is in a production setting new job have never worked with pix. I need the easiest safest way to enable two ports below. I appreciate all help. Thank you.
syntax to delete one line? can't find it.
access-list out_int permit tcp any host 172.16.1.2 eq smtp
access-list out_int permit tcp any host 172.16.1.2 eq 1723 (pptp)
access-list out_int permit tcp any host 172.16.1.2 eq 47 (gre)
static (inside,outside) tcp 172.16.1.2 smtp 192.168.1.1 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 1723 192.168.1.145 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 47 192.168.1.145 47 netmask 255.255
.255.255 0 0
write memory
reload ( restart firewall this save to startup config?)
syntax to delete one line? can't find it.
access-list out_int permit tcp any host 172.16.1.2 eq smtp
access-list out_int permit tcp any host 172.16.1.2 eq 1723 (pptp)
access-list out_int permit tcp any host 172.16.1.2 eq 47 (gre)
static (inside,outside) tcp 172.16.1.2 smtp 192.168.1.1 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 1723 192.168.1.145 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 47 192.168.1.145 47 netmask 255.255
.255.255 0 0
write memory
reload ( restart firewall this save to startup config?)
to delete a line, just add the word "no" (without quotes) to the beginning and type the rest of the line, for example:
no access-list out_int deny ip any any
This will delete the line: access-list out_int deny ip any any
Then, add your entries that you need.
Mark
no access-list out_int deny ip any any
This will delete the line: access-list out_int deny ip any any
Then, add your entries that you need.
Mark
ASKER
Is my syntax for other commands correct? And do I have to restart the firewall at some time?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ps. in newer sw versions you assign line numbers to each rule, so you can insert a line more easily
also, I wouldn't allow outbound smtp for all pcs, since that just allows all of the email worms to do their thing. just let the mail server out on port 25.