Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

pix 515e access-list editing

Posted on 2004-10-05
7
Medium Priority
?
1,505 Views
Last Modified: 2012-08-13
I need to add smtp and pptp to an existing pix setup on a 515e. Since the person who set it up put an implicit deny at the end that means I have to delete old access-list and create a new one. My question is is there anything in the config flie below that might create a problem editing. Also I'm I right that I have to delete old access-list recreate new one. PIX version 6.3. If I could the correct syntax I would appreciate it. All ips have been changed.


PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password kwT2Qyt5W3.IC3f6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname od-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list out_int permit tcp any host 10.10.10.135 eq www
access-list out_int deny ip any any
access-list in_int deny tcp any any eq 135
access-list in_int deny tcp any any eq 4444
access-list in_int deny udp any any eq tftp
access-list in_int permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit name check attack action alarm reset
ip audit interface outside check
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.16.1.10 netmask 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp .145 www 192.168.1.145 www netmask 255.255
.255.255 0 0
access-group out_int in interface outside
access-group in_int in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:442f27e0d1ac58ebc6a184aa05819643
: end
0
Comment
Question by:chetw18504
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Expert Comment

by:JammyPak
ID: 12230173
you don't have to delete the whole access-list, just delete the line "no access-list out_int deny ip any any", then add the two lines you want, then add the deny line back in.

ps. in newer sw versions you assign line numbers to each rule, so you can insert a line more easily

also, I wouldn't allow outbound smtp for all pcs, since that just allows all of the email worms to do their thing. just let the mail server out on port 25.


0
 
LVL 3

Expert Comment

by:johnpitt
ID: 12231016
Just as a suggestion: I really like using the web interface on the PIX. I know it doesn't set well with the die-hard Cisco crowd but if you have 100 other areas of responsibility it really helps make things easier. That is were I do my access list editing.
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12231881
It would be "implicit" if they *didn't* add that line.  Adding it makes it EXPLICIT instead.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:chetw18504
ID: 12232563
What is the syntax to delete one line? Also could somenone check the syntax below? The pix is in a production setting new job have never worked with pix. I need the easiest safest way to enable two ports below. I appreciate all help. Thank you.

syntax to delete one line? can't find it.
access-list out_int permit tcp any host 172.16.1.2 eq smtp
access-list out_int permit tcp any host 172.16.1.2 eq 1723 (pptp)
access-list out_int permit tcp any host 172.16.1.2 eq 47  (gre)
static (inside,outside) tcp 172.16.1.2 smtp 192.168.1.1 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 1723 192.168.1.145 1723 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 172.16.1.2 47 192.168.1.145 47 netmask 255.255
.255.255 0 0
write memory
reload ( restart firewall this save to startup config?)
0
 
LVL 13

Expert Comment

by:mark-wa
ID: 12232786
to delete a line, just add the word "no" (without quotes) to the beginning and type the rest of the line, for example:

no access-list out_int deny ip any any

This will delete the line:   access-list out_int deny ip any any

Then, add your entries that you need.

Mark
0
 

Author Comment

by:chetw18504
ID: 12237849
Is my syntax for other commands correct? And do I have to restart the firewall at some time?
0
 
LVL 16

Accepted Solution

by:
JammyPak earned 1000 total points
ID: 12238492
no you don't have to restart, just do 'write mem' to save your changes

the other commands look fine to me...with one problem - GRE isn't TCP port 47, it's protocol 47

try this instead:
access-list out_int permit gre any host 172.16.1.2

also, as PennGwynn mentioned, it's probably best to just remove the 'deny' rule, and by default everything not specifically permitted will be denied...this makes things easier for you. I gave you the syntax for removing the deny line in my first post, using 'no'

HTH
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question