Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PIX access list

Posted on 2006-07-13
9
Medium Priority
?
480 Views
Last Modified: 2010-04-08
Hi,

I am new to firewall and have some questions on access list.

1) i want to block icmp but allow www, dns pass through the pix, can i implement the access list in the order as following?

access-list in_acl deny icmp any any
access-list in_acl permit tcp any host 211.211.211.211 eq www
access-list in_acl permit tcp any host 212.212.212.212 eq dns
access-list in_acl permit ip any host 213.213.213.213

2) line 3 of above example indicates the protocol is tcp for dns service, should i change it to udp? when shall i use tcp and udp?

3) if the host 213.213.213.213 is a proxy server, should i use protocol tcp instead of ip? and why?

any help?

thanks in advance
ngpk
0
Comment
Question by:ngpk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17098962
You acl is backwards to restrict outbound traffic.

Given that .213 is a proxy, that should be the only IP allowed out to www
Given that .212 is a DNS server, that should be the only IP allowed to forward dns
Given that .211 is a SMTP mail server
You don't need the deny at the top because of the implied deny all at the bottom of every acl. Only allow what you want
DNS uses UDP almost exclusively. Only if you have a local DNS server that does zone transfers with another external server would you need TCP.
Here's the acl I would use:
access-list outbound_acl permit tcp host 213.213.213.213 any eq www
access-list outbound_acl permit tcp host 213.213.213.213 any eq https
access-list outbound_acl permit tcp host 213.213.213.213 any eq ftp
access-list outbound_acl permit udp host 212.212.212.212 any eq domain (dns)
access-list outbound_acl permit tcp host 211.211.211.211 any eq smtp
access-group outbound_acl in interface inside

ALL other traffic is blocked. No ICMP, no nuthin' and users are forced to use the proxy for http/https/ftp, and no other inbound acls are necessary.
What about email? Do you have an email server? It should be the only one allowed smtp out,

If I misunderstood and you want to allow inbound traffic to your DNS server (why?) and your www server then your original syntax is correct:
 access-list inbound_acl permit tcp any host 213.213.213.213 eq www
 access-list inbound_acl permit udp any host 212.212.212.212 eq domain
<etc>
I would not use "ip" to any internal host from outside - ever.
applied to the outside interface
  access-group inbound_acl in interface outside
0
 

Author Comment

by:ngpk
ID: 17106674
Hi lrmoore,

Actually the access-list is to be bound to outside and inside interfaces.

There is web server, dns server and proxy server behind PIX. I just want to allow www and dns traffic to the destined servers from outside, and all other users behind PIX make use proxy server to access Internet.

So, I would like to revise the config as followings:

access-list out_intf_acl permit tcp any host 211.211.211.211 eq www
access-list out_intf_acl permit udp any host 212.212.212.212 eq dns
access-group out_intf_acl in interface outside

access-list in_intf_acl permit ip host 213.213.213.213 any
access-group in_intf_acl in interface inside

With regard to the smtp server, I will add more entries like this and bound to both outside and inside interfaces:
access-list out_intf_acl permit tcp any host 212.212.212.215 eq smtp
access-list out_intf_acl permit udp host 212.212.212.212 any eq smtp

Any advice?

Thanks
ngpk
0
 

Author Comment

by:ngpk
ID: 17106694
Hi lrmoore,

The config should be this:

access-list out_intf_acl permit tcp any host 211.211.211.211 eq www
access-list out_intf_acl permit udp any host 211.211.211.212 eq dns
access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list in_intf_acl permit ip host 211.211.211.213 any
access-list in_intf_acl permit tcp host 211.211.211.215 any eq smtp
access-group in_intf_acl in interface inside

Thanks,
ngpk
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17107017
Looks like that will work!
0
 

Author Comment

by:ngpk
ID: 17144265
Hello Lrmoore,

First of all, thanks for your help.

Here i got confused that when the smtp server is located in DMZ. The senario is: the smtp server is located in DMZ with internal IP 10.1.1.1/24 and global IP 211.211.211.215, the computers behind the inside interface are belongs to network 10.1.2.0.  Here are three different settings below:
1) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside
:
:
nat for smtp server
:

2) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list dmz_intf_acl permit tcp host 10.1.1.1 eq smtp any
access-group dmz_intf_acl in interface dmz
:
:
nat for smtp server
:

3) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list dmz_intf_acl permit tcp host 10.1.1.1 eq smtp any
access-group dmz_intf_acl in interface dmz

access-list in_intf_acl permit tcp any host 10.1.1.1 eq smtp
access-group in_intf_acl in interface inside
:
:
nat for smtp server
:

I want to make sure whether the statement is true or not: By default all higher security level access to lower is permitted.

If the statement is true, then #1) is ok, right?

If the statement is false, then #2) or #3) should be used, right?

Can you advise which one is the right?

Thanks a lot
ngpk

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17145206
>By default all higher security level access to lower is permitted
This is TRUE
#1) is all you need unless you want to purposely restrict outgoing traffic . .

0
 

Author Comment

by:ngpk
ID: 17147517
Thanks lrmoore. When I applied #1), does it allow all followings:
a) any Internet computers can send mails to the smtp server when a nat is properly defined for the server.
b) any computers behind inside interface can send mails to the smtp server
c) the smtp server can deliver mail to other Internet smtp servers.

Thanks,
ngpk
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 375 total points
ID: 17148479
a)yes
b)yes
c)yes
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question