?
Solved

PIX Access list restrictions

Posted on 2004-11-15
7
Medium Priority
?
415 Views
Last Modified: 2013-11-16
I am a Cisco/PIX newbie and have recently acquired a PIX 056e firewall. I have set up the basics, interfaces DCHP, Nat etc, and now need to fine tune further. I need to setup access lists to deny all inside users with the exception of internet access and outside DNS lookup.

Also only one inside host (192.160.0.2) to have unrestricted access.

This is what I've got so far.

access-list outbound permit tcp host any any eq 80
access-list outbound permit udp any any eq 53
access-list outbound permit ip 192.160.0.2 any
access-list outbound deny ip any any
access-group outbound in interface inside

This is off the top of my head and havent tried this config yet. Can anyone verify?
0
Comment
Question by:hotdiggetydawg
  • 3
  • 2
  • 2
7 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12583401
Hi hotdiggetydawg,
> access-list outbound permit tcp host any any eq 80
Plus https:-
access-list outbound permit tcp host any any eq 443

> access-list outbound permit udp any any eq 53
> access-list outbound permit ip 192.160.0.2 any
Correct syntax is:-
access-list outbound permit ip host 192.160.0.2 any

> access-list outbound deny ip any any
> access-group outbound in interface inside

What about ftp and email?
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 12583408
Missed a couple of typos.

access-list outbound permit tcp any any eq 80
access-list outbound permit tcp any any eq 443
access-list outbound permit udp any any eq 53
access-list outbound permit ip host 192.160.0.2 any
access-list outbound deny ip any any
access-group outbound in interface inside
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12583546
What is your end goal? What it is that you are specifically trying to block?
Do you have a policy of "permit by exception" that you are trying to implement? What is your policy? What are the exceptions?
If no policy, then back to the first question - what is it you are trying to block outbound? Everything is permitted outbound by default with no access-lists applied. Once you do apply an acl, then you have to be careful what you wish for because you may find it difficult to troubleshoot. As grblades mentions above, what about email outbound, ftp, pop3, Instant Messenger, etc.. Are you restricting access to those protocols?
There are better ways to monitor/restrict users internet habits. First and formost is a written policy.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:hotdiggetydawg
ID: 12583729
Sorry, I should have explained in more detail.

This is a home project with the goal of understanding the pix. I plan to configure FTP and Email at a later date. All I'm really interested in at the moment is the logical syntax and construct of access-lists.

My main objective at the moment is to start with a completly restricted pix then grant access rights as I go along.

I also read a cisco doc stating that it is now best practice to override the default behaviour by blocking all traffic from inside to outside and only allowing required traffic to exit. Did I misread?
0
 
LVL 36

Expert Comment

by:grblades
ID: 12583760
Permitting only specific outbound traffic is more secure and the way that I prefer to do it. Enabling everything outbound leaves you more open to trojan programs. For example the new virus released last week tricks people into downloading the code off the website on a high port number. A lot of virus scanners dont detect the email but the access-lists I have defined would have stopped the virus from being able to download.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 12583799
Thanks! The picture is clear now...
No, I don't think you misread anything. There is a lot of talk within the industry about a policy of "permit by exception" which I eluded to above. Cisco's default behavior of "permit all" has come under fire recently. That is permit all OUTbound, INbound has always been by exception only.
 Just keep the syntax in mind:
   access-list <name> tcp|udp|ip <source> <mask> <destination> <mask> <operator> <port>
 and the construct of top-down processing. Each packet is evaluated top-down until a match is found, so the order is very important. There is an implied "deny all" at the end of any acl, so you do not have to explicitly write it out

the keyword "host" can be used in front of a specific IP instead of the IP address and mask 255.255.255.255
  i.e  "access-list outbound permit ip host 192.160.0.2 any"
is same as:
   access-list outbound permit ip 192.160.0.2 255.255.255.255 any

Remember to always re-apply the acl to the interface after making any changes:
   access-group outbound in interface inside

Not so on a router, but on a PIX, an access-list can only be applied "in" on any interface
0
 

Author Comment

by:hotdiggetydawg
ID: 12584210
nice one, thanks for the clarification all.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question