Solved

PIX access list

Posted on 2006-07-13
9
440 Views
Last Modified: 2010-04-08
Hi,

I am new to firewall and have some questions on access list.

1) i want to block icmp but allow www, dns pass through the pix, can i implement the access list in the order as following?

access-list in_acl deny icmp any any
access-list in_acl permit tcp any host 211.211.211.211 eq www
access-list in_acl permit tcp any host 212.212.212.212 eq dns
access-list in_acl permit ip any host 213.213.213.213

2) line 3 of above example indicates the protocol is tcp for dns service, should i change it to udp? when shall i use tcp and udp?

3) if the host 213.213.213.213 is a proxy server, should i use protocol tcp instead of ip? and why?

any help?

thanks in advance
ngpk
0
Comment
Question by:ngpk
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17098962
You acl is backwards to restrict outbound traffic.

Given that .213 is a proxy, that should be the only IP allowed out to www
Given that .212 is a DNS server, that should be the only IP allowed to forward dns
Given that .211 is a SMTP mail server
You don't need the deny at the top because of the implied deny all at the bottom of every acl. Only allow what you want
DNS uses UDP almost exclusively. Only if you have a local DNS server that does zone transfers with another external server would you need TCP.
Here's the acl I would use:
access-list outbound_acl permit tcp host 213.213.213.213 any eq www
access-list outbound_acl permit tcp host 213.213.213.213 any eq https
access-list outbound_acl permit tcp host 213.213.213.213 any eq ftp
access-list outbound_acl permit udp host 212.212.212.212 any eq domain (dns)
access-list outbound_acl permit tcp host 211.211.211.211 any eq smtp
access-group outbound_acl in interface inside

ALL other traffic is blocked. No ICMP, no nuthin' and users are forced to use the proxy for http/https/ftp, and no other inbound acls are necessary.
What about email? Do you have an email server? It should be the only one allowed smtp out,

If I misunderstood and you want to allow inbound traffic to your DNS server (why?) and your www server then your original syntax is correct:
 access-list inbound_acl permit tcp any host 213.213.213.213 eq www
 access-list inbound_acl permit udp any host 212.212.212.212 eq domain
<etc>
I would not use "ip" to any internal host from outside - ever.
applied to the outside interface
  access-group inbound_acl in interface outside
0
 

Author Comment

by:ngpk
ID: 17106674
Hi lrmoore,

Actually the access-list is to be bound to outside and inside interfaces.

There is web server, dns server and proxy server behind PIX. I just want to allow www and dns traffic to the destined servers from outside, and all other users behind PIX make use proxy server to access Internet.

So, I would like to revise the config as followings:

access-list out_intf_acl permit tcp any host 211.211.211.211 eq www
access-list out_intf_acl permit udp any host 212.212.212.212 eq dns
access-group out_intf_acl in interface outside

access-list in_intf_acl permit ip host 213.213.213.213 any
access-group in_intf_acl in interface inside

With regard to the smtp server, I will add more entries like this and bound to both outside and inside interfaces:
access-list out_intf_acl permit tcp any host 212.212.212.215 eq smtp
access-list out_intf_acl permit udp host 212.212.212.212 any eq smtp

Any advice?

Thanks
ngpk
0
 

Author Comment

by:ngpk
ID: 17106694
Hi lrmoore,

The config should be this:

access-list out_intf_acl permit tcp any host 211.211.211.211 eq www
access-list out_intf_acl permit udp any host 211.211.211.212 eq dns
access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list in_intf_acl permit ip host 211.211.211.213 any
access-list in_intf_acl permit tcp host 211.211.211.215 any eq smtp
access-group in_intf_acl in interface inside

Thanks,
ngpk
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17107017
Looks like that will work!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ngpk
ID: 17144265
Hello Lrmoore,

First of all, thanks for your help.

Here i got confused that when the smtp server is located in DMZ. The senario is: the smtp server is located in DMZ with internal IP 10.1.1.1/24 and global IP 211.211.211.215, the computers behind the inside interface are belongs to network 10.1.2.0.  Here are three different settings below:
1) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside
:
:
nat for smtp server
:

2) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list dmz_intf_acl permit tcp host 10.1.1.1 eq smtp any
access-group dmz_intf_acl in interface dmz
:
:
nat for smtp server
:

3) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list dmz_intf_acl permit tcp host 10.1.1.1 eq smtp any
access-group dmz_intf_acl in interface dmz

access-list in_intf_acl permit tcp any host 10.1.1.1 eq smtp
access-group in_intf_acl in interface inside
:
:
nat for smtp server
:

I want to make sure whether the statement is true or not: By default all higher security level access to lower is permitted.

If the statement is true, then #1) is ok, right?

If the statement is false, then #2) or #3) should be used, right?

Can you advise which one is the right?

Thanks a lot
ngpk

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17145206
>By default all higher security level access to lower is permitted
This is TRUE
#1) is all you need unless you want to purposely restrict outgoing traffic . .

0
 

Author Comment

by:ngpk
ID: 17147517
Thanks lrmoore. When I applied #1), does it allow all followings:
a) any Internet computers can send mails to the smtp server when a nat is properly defined for the server.
b) any computers behind inside interface can send mails to the smtp server
c) the smtp server can deliver mail to other Internet smtp servers.

Thanks,
ngpk
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17148479
a)yes
b)yes
c)yes
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now