PIX access list

Hi,

I am new to firewall and have some questions on access list.

1) i want to block icmp but allow www, dns pass through the pix, can i implement the access list in the order as following?

access-list in_acl deny icmp any any
access-list in_acl permit tcp any host 211.211.211.211 eq www
access-list in_acl permit tcp any host 212.212.212.212 eq dns
access-list in_acl permit ip any host 213.213.213.213

2) line 3 of above example indicates the protocol is tcp for dns service, should i change it to udp? when shall i use tcp and udp?

3) if the host 213.213.213.213 is a proxy server, should i use protocol tcp instead of ip? and why?

any help?

thanks in advance
ngpk
ngpkAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
lrmooreConnect With a Mentor Commented:
a)yes
b)yes
c)yes
0
 
lrmooreCommented:
You acl is backwards to restrict outbound traffic.

Given that .213 is a proxy, that should be the only IP allowed out to www
Given that .212 is a DNS server, that should be the only IP allowed to forward dns
Given that .211 is a SMTP mail server
You don't need the deny at the top because of the implied deny all at the bottom of every acl. Only allow what you want
DNS uses UDP almost exclusively. Only if you have a local DNS server that does zone transfers with another external server would you need TCP.
Here's the acl I would use:
access-list outbound_acl permit tcp host 213.213.213.213 any eq www
access-list outbound_acl permit tcp host 213.213.213.213 any eq https
access-list outbound_acl permit tcp host 213.213.213.213 any eq ftp
access-list outbound_acl permit udp host 212.212.212.212 any eq domain (dns)
access-list outbound_acl permit tcp host 211.211.211.211 any eq smtp
access-group outbound_acl in interface inside

ALL other traffic is blocked. No ICMP, no nuthin' and users are forced to use the proxy for http/https/ftp, and no other inbound acls are necessary.
What about email? Do you have an email server? It should be the only one allowed smtp out,

If I misunderstood and you want to allow inbound traffic to your DNS server (why?) and your www server then your original syntax is correct:
 access-list inbound_acl permit tcp any host 213.213.213.213 eq www
 access-list inbound_acl permit udp any host 212.212.212.212 eq domain
<etc>
I would not use "ip" to any internal host from outside - ever.
applied to the outside interface
  access-group inbound_acl in interface outside
0
 
ngpkAuthor Commented:
Hi lrmoore,

Actually the access-list is to be bound to outside and inside interfaces.

There is web server, dns server and proxy server behind PIX. I just want to allow www and dns traffic to the destined servers from outside, and all other users behind PIX make use proxy server to access Internet.

So, I would like to revise the config as followings:

access-list out_intf_acl permit tcp any host 211.211.211.211 eq www
access-list out_intf_acl permit udp any host 212.212.212.212 eq dns
access-group out_intf_acl in interface outside

access-list in_intf_acl permit ip host 213.213.213.213 any
access-group in_intf_acl in interface inside

With regard to the smtp server, I will add more entries like this and bound to both outside and inside interfaces:
access-list out_intf_acl permit tcp any host 212.212.212.215 eq smtp
access-list out_intf_acl permit udp host 212.212.212.212 any eq smtp

Any advice?

Thanks
ngpk
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
ngpkAuthor Commented:
Hi lrmoore,

The config should be this:

access-list out_intf_acl permit tcp any host 211.211.211.211 eq www
access-list out_intf_acl permit udp any host 211.211.211.212 eq dns
access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list in_intf_acl permit ip host 211.211.211.213 any
access-list in_intf_acl permit tcp host 211.211.211.215 any eq smtp
access-group in_intf_acl in interface inside

Thanks,
ngpk
0
 
lrmooreCommented:
Looks like that will work!
0
 
ngpkAuthor Commented:
Hello Lrmoore,

First of all, thanks for your help.

Here i got confused that when the smtp server is located in DMZ. The senario is: the smtp server is located in DMZ with internal IP 10.1.1.1/24 and global IP 211.211.211.215, the computers behind the inside interface are belongs to network 10.1.2.0.  Here are three different settings below:
1) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside
:
:
nat for smtp server
:

2) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list dmz_intf_acl permit tcp host 10.1.1.1 eq smtp any
access-group dmz_intf_acl in interface dmz
:
:
nat for smtp server
:

3) access-list out_intf_acl permit tcp any host 211.211.211.215 eq smtp
access-group out_intf_acl in interface outside

access-list dmz_intf_acl permit tcp host 10.1.1.1 eq smtp any
access-group dmz_intf_acl in interface dmz

access-list in_intf_acl permit tcp any host 10.1.1.1 eq smtp
access-group in_intf_acl in interface inside
:
:
nat for smtp server
:

I want to make sure whether the statement is true or not: By default all higher security level access to lower is permitted.

If the statement is true, then #1) is ok, right?

If the statement is false, then #2) or #3) should be used, right?

Can you advise which one is the right?

Thanks a lot
ngpk

0
 
lrmooreCommented:
>By default all higher security level access to lower is permitted
This is TRUE
#1) is all you need unless you want to purposely restrict outgoing traffic . .

0
 
ngpkAuthor Commented:
Thanks lrmoore. When I applied #1), does it allow all followings:
a) any Internet computers can send mails to the smtp server when a nat is properly defined for the server.
b) any computers behind inside interface can send mails to the smtp server
c) the smtp server can deliver mail to other Internet smtp servers.

Thanks,
ngpk
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.