[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 590
  • Last Modified:

PIX 515 config

Can someone please explain what ip any any (hitcnt=4320) means?
I'm sure ip means ip and any any means anywhere. Firewalls I have configured in the past have had a port range and I don't understand the (hitcnt=4320)

sh access-list 120
access-list 120; 4 elements
access-list 120 line 1 permit icmp any any (hitcnt=61)
access-list 120 line 2 permit ip any any (hitcnt=4320)
access-list 120 line 3 permit tcp any any (hitcnt=0)
access-list 120 line 4 permit udp any any (hitcnt=0)

 515#

Thanks,
Donnie
0
Donnie4572
Asked:
Donnie4572
  • 6
  • 4
1 Solution
 
nodiscoCommented:
hitcnt is a hitcount.  It shows how many times the specific access-list has been referenced. i.e. if your access-list 120 were applied in on your outside interface, it would show that ip traffic from "any" address had got in via this access-list 4320 times.
0
 
Donnie4572Author Commented:
Suppose I wanted to open port 1433 from dmz to inside.

do I do this?
access-list 120 line 5 permit tcp dmz inside 1433

What if I wanted to use port range? Do I do this?
access-list 120 line 5 permit tcp dmz inside 1433-1435


515# sh access-group
access-group 110 in interface outside
access-group 120 in interface dmz

 515#

0
 
lrmooreCommented:
Access-lists depend on the order of listing...

In your case:
access-list 120 line 1 permit icmp any any (hitcnt=61)  <== all icmp messages from any source to any destination
access-list 120 line 2 permit ip any any (hitcnt=4320)   <== any/all IP connections from any source to any destination
access-list 120 line 3 permit tcp any any (hitcnt=0)  <== no hits because both tcp and udp are covered by IP in line 2
access-list 120 line 4 permit udp any any (hitcnt=0) <== ditto

Another thing to point out, that with this access-list applied to the dmz interface, it has absolutely no functional value.
If you remove the "access-group 120 in interface dmz" command, you will not change anything in the way the firewall functions. Permitting "ip any any" outbound is default behavior with implicit access-list, as long as traffic is going from the higher security interface to a lower security interface (dmz to outside, inside to dmz or outside).

In order for traffic to go from a lower security interface, you *must* include an access-list

There is also an implied "deny any any" at the end of any access-list whether it is expressly written or not. Consider the following:

>Suppose I wanted to open port 1433 from dmz to inside.
Now, according to the rules of the game, we *must* use an access-list

 access-list 120 permit tcp <dmz subnet> <mask> <inside subnet> <mask> range 1433 1435

If being applied to the outside interface, this would be all we need. However, if we apply it as is to the dmz interface, no dmz host would be able to browse the web, surf the internet, serve web pages, get email, etc.. all because of the implied deny all

Additionally, to communicate from dmz to inside, you *must* have a static xlate...
  static(inside,dmz) <inside subnet> <inside subnet> <mask>
Given, for example:
 inside LAN subnet = 192.168.222.0 /24
 dmz LAN subnet = 172.16.16.0 /24

Now, we can finish the access-list thusly:
 static (inside,dmz) 192.168.222.0 192.168.222.0 netmask 255.255.255.0
 access-list 120 permit tcp 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0 range 1433 1435
 access-list 120 deny ip 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0
 access-list 120 permit ip 172.16.16.0 255.255.255.0 any

! done !



 
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
Donnie4572Author Commented:
Thanks for replies.
Very good information lrmoore!

I have worked with Symantec Enterprise Firewall for years and thought this pix would be a piece of cake, boy was I wrong.

I guess I'm losing it here: "access-group 120 in interface dmz" does this mean that access-list 120 controls traffic to the dmz? Or From the dmz?

What can you reccommend? Should I remove all lines from access-list 120 and insert:
something like this?
static (inside,dmz) 192.168.222.0 192.168.222.0 netmask 255.255.255.0
access-list 120 permit tcp 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0 range 1433 1435
 access-list 120 deny ip 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0
 access-list 120 permit ip 172.16.16.0 255.255.255.0 any
Then if I did that...If I'm reading this right; this access-list will not allow any host on the dmz to access any host anywhere except 192.168.222.0 255.255.255.0 range 1433 1435
Is this correct?

If this is correct: suppose I wanted to telnet from dmz host 172.16.16.5 to inside host 192.168.222.5 then I change the above access-list to this....

access-list 120 permit tcp 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0 range 1433 1435
access-list 120 permit tcp 172.16.16.5 255.255.255.255 192.168.222.5 255.255.255.255 23
 access-list 120 deny ip 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0
 access-list 120 permit ip 172.16.16.0 255.255.255.0 any

Is this correct?


Thanks for your help.

Donnie



0
 
lrmooreCommented:
>"access-group 120 in interface dmz" does this mean that access-list 120 controls traffic to the dmz? Or From the dmz?
FROM the dmz

>...If I'm reading this right; this access-list will not allow any host on the dmz to access any host anywhere except 192.168.222.0 255.255.255.0 range 1433 1435
>Is this correct?
Not quite. It will ONLY allow SQL traffic from the DMZ to the inside LAN. NO other traffic - between the dmz and the inside - yet all dmz hosts can still get outside to browse and serve up their pages, etc..

>suppose I wanted to telnet from dmz host 172.16.16.5 to inside host 192.168.222.5 then I change the above access-list to this....
Yes, close, but no cigar. You need an operand before the port

access-list 120 permit tcp 172.16.16.5 255.255.255.255 192.168.222.5 255.255.255.255 eq 23
                                                                                                                               ^^
                                                                                                                    destination port equals 23

I think you're getting the hang of this acl thing...

0
 
Donnie4572Author Commented:
Ah. You are the man!
Thanks for quick responce.

I have inspected a little and it seems that from the dmz any host can access anything on the inside. I have only been here 2 weeks and while I'm reluctant to make drastic changes wouldn't you say this is defeating the purpose of a dmz?

all dmz hosts can still get outside to browse and serve up their pages, etc..
I'm sure this is what I want. right?

As for (from outside to access a host on the dmz) this needs access-list right?

sh static
static (inside,outside) 61.151.204.219 10.1.9.101 netmask 255.255.255.255 100 50
static (dmz,outside) 61.151.204.214 192.168.18.3 netmask 255.255.255.255 0 0
static (dmz,outside) 61.151.204.216 192.168.18.4 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.9.0 10.1.9.0 netmask 255.255.255.0 0 0
static (dmz,outside) 61.151.204.217 192.168.18.7 netmask 255.255.255.255 0 0
static (dmz,outside) 61.151.204.218 192.168.18.8 netmask 255.255.255.255 0 0
static (inside,outside) 61.151.204.220 10.1.1.170 netmask 255.255.255.255 0 0
static (inside,outside) 61.151.204.213 10.1.9.136 netmask 255.255.255.255 0 0
static (inside,outside) 61.151.204.215 10.1.9.3 netmask 255.255.255.255 0 0
static (dmz,outside) 61.151.204.212 192.168.18.11 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0 0 0

access-group 110 in interface outside

access-list 110 permit icmp any any
access-list 110 permit tcp any host 61.151.204.212 eq smtp
access-list 110 permit tcp any host 61.151.204.212 eq www
access-list 110 permit tcp any host 61.151.204.212 eq pop3
access-list 110 permit tcp any host 61.151.204.214 eq ftp
access-list 110 permit tcp any host 61.151.204.214 eq www
access-list 110 permit tcp any host 61.151.204.214 eq 3389
access-list 110 permit tcp any host 61.151.204.215 eq www
access-list 110 permit tcp any host 61.151.204.219 eq citrix-ica
access-list 110 permit tcp any host 61.151.204.219 eq 1604
access-list 110 permit tcp any host 61.151.204.216 eq ftp
access-list 110 permit tcp any host 61.151.204.216 eq www
access-list 110 permit tcp any host 61.151.204.213 eq ssh
access-list 110 permit tcp any host 61.151.204.213 eq www
access-list 110 permit tcp any host 61.151.204.217 eq ftp
access-list 110 permit tcp any host 61.151.204.217 eq www
access-list 110 permit tcp any host 61.151.204.217 eq 3389
access-list 110 permit udp any host 61.151.204.218 eq domain
access-list 110 permit tcp any host 61.151.204.218 eq domain
access-list 110 permit tcp any host 61.151.204.220 eq www
access-list 110 permit tcp any host 61.151.204.220 eq https
access-list 110 permit tcp any host 61.151.204.214 eq https
access-list 110 permit tcp any host 61.151.204.220 eq 8080
access-list 110 permit tcp any host 61.151.204.214 eq ssh
access-list 110 permit tcp any host 61.151.204.214 eq 1433
access-list 110 permit tcp any host 61.151.204.215 eq domain
access-list 110 permit tcp any host 61.151.204.215 eq smtp
access-list 110 permit tcp any host 61.151.204.215 eq pop3

61.151 this is outside
192.168 this is dmz
10.1.10 and 10.1.9 are inside 10.1.10 has security of 90 and 10.1.9 has security of 100

This all looks right to me except  access-list 110 permit icmp any any  

would you change this?

Thanks for your help.
Donnie
0
 
lrmooreCommented:
>wouldn't you say this is defeating the purpose of a dmz?
Pretty much, yes.

>all dmz hosts can still get outside to browse and serve up their pages, etc..
I'm sure this is what I want. right?
Absolutely...

>As for (from outside to access a host on the dmz) this needs access-list right?
Yes, both static and access-list permissisions are required.

>static (inside,outside) 61.151.204.219 10.1.9.101 netmask 255.255.255.255 100 50
>static (dmz,outside) 61.151.204.214 192.168.18.3 netmask 255.255.255.255 0 0
I'm concerned that you have both internal hosts and dmz hosts "exposed" to the Internet. Sort of -again- defeats the purpose of having the dmz in the first place...

>This all looks right to me except  access-list 110 permit icmp any any  
>would you change this?
Yes, I would restrict icmp to
  no access-list 110 permit icmp any any
  access-list 110 permit icmp any any echo-reply
  access-list 110 permit icmp any any unreachable
  access-list 110 permit icmp any any time-exceeded


0
 
Donnie4572Author Commented:
I have two subnets 10.1.9 and 10.1.10
I setup the 10.1.10 network yesterday.

from a host in the dmz I can ping any host on the 10.1.9 but I cannot ping anything on the 10.1.10

from a cisco 2600 10.1.10 interface I can ping any dmz host.

So I need to create access list?

static (new,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0
 access-list 130 permit icmp 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0
 access-list 130 deny ip 172.16.16.0 255.255.255.0 192.168.222.0 255.255.255.0
 access-list 130 permit ip 172.16.16.0 255.255.255.0 any
access-group 130 in interface new

is this correct? will this allow ping from dmz to 10.1.10.0?
is the syntax right?.."access-group 130 in interface new"

Thanks,
Donnie
0
 
lrmooreCommented:
OK, I'm confused. Did you setup a VLAN interface, called it "new" ?

You already have a static for 10.1.10.0 from the inside to the dmz..
static (inside,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0 0 0

Whatever acl you have applied to the dmz interface would have to include access to 10.1.10.0...
i.e.

  access-list 120 permit ip 192.168.18.0 255.255.255.0 10.1.10.0 255.255.255.0

assuming that acl 120 is bound to the dmz interface
  access-group 120 in interface dmz

If you truly do have an interface "new".....
  no static (inside,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0 0 0
  static (new,dmz) 10.1.10.0 10.1.10.0 netmask 255.255.255.0

No need to apply acl to "new" because from new -->dmz = higher --> lower = no acl required
                                                                dmz-->new = lower -->higher = acl required, applied to "lower" dmz interface in

Only apply acl to "new" for traffic between inside-->new
I hope you don't need that. Too many interfaces with traffic going too many directions gets complicated quickly for the uninitiated...





0
 
Donnie4572Author Commented:
Sorry, The new subnet I added is 10.1.11.0
I added the following; and you are right again it works and no acl needed. I think I see a little better now.


static (new,dmz) 10.1.10.0 10.1.11.0 netmask 255.255.255.0

Thanks a lot I really appreciate all your help.
0
 
Donnie4572Author Commented:
lrmoore,

If you have a chance, would you take a look at this question?

Thanks,
Donnie


http://www.experts-exchange.com/Security/Firewalls/Q_21405910.html
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now