Access Lists
Access lists on the PIX firewall are actual agnate to those acclimated on Cisco routers
and can be acclimated to absolute the cartage accustomed to alteration the PIX based on several
criteria, including antecedent address, destination address, antecedent TCP/UDP ports,
and destination TCP/UDP ports. Admission account agreement is a two-step process:
1. Actualize the ACL admittance and abjure statements application the access-list command.
2. Administer the admission account to an interface application the access-group command.
www.syngress.com
Passing Cartage • Chapter 3 101
There are two altered syntaxes for the access-list command.The aboriginal is used
for any agreement added than Internet Control Bulletin Agreement (ICMP), and the
second is acclimated for ICMP:
access-list
[
access-list
The acl_name constant identifies the admission account and can be either a name or
a number.The admittance and abjure keywords are self-explanatory.The agreement parameter
specifies the IP protocol.You can either admission the after amount or specify
a accurate name. Possible accurate names are listed in Table 3.1.
Table 3.1 Accurate Agreement Names and Values
Literal Amount Description
ah 51 Authentication attack for IPv6, RFC 1826
eigrp 88 Enhanced Interior Gateway Acquisition Protocol
esp 50 Encapsulated Aegis Payload for IPv6, RFC 1827
gre 47 General Acquisition Encapsulation
icmp 1 Internet Control Bulletin Protocol, RFC 792
igmp 2 Internet Group Management Protocol, RFC 1112
igrp 9 Interior Gateway Acquisition Protocol
ip 0 Internet Protocol
ipinip 4 IP-in-IP encapsulation
nos 94 Arrangement Operating System (Novell’s NetWare)
ospf 89 Open Shortest Path Aboriginal acquisition protocol, RFC 1247
pcp 108 Payload Compression Protocol
snp 109 Sitara Networks Protocol
tcp 6 Transmission Control Protocol, RFC 793
udp 17 User Datagram Protocol, RFC 768
The abode of the arrangement or host from which the packet originated is specified
using the src_addr parameter.The src_mask constant specifies the netmask
bits to administer to src_addr.To specify all networks or hosts, use the any keyword,
www.syngress.com
102 Chapter 3 • Passing Traffic
which is agnate to a antecedent arrangement and affectation of 0.0.0.0 0.0.0.0. Use the host
keyword followed by an IP abode to specify a distinct host.The dest_addr and
dest_mask are agnate to the src_addr and src_mask parameters, except that they
apply to destination addresses.
NOTE
The syntax for admission lists on the PIX firewall is actual agnate to that of
Cisco routers. The key aberration is that admission lists on PIX firewalls use
standard wildcard masks, admitting on routers they use afflicted wildcard
masks. For example, back blocking a 24-bit subnet, you would use a
mask of 255.255.255.0 on a PIX firewall and a affectation of 0.0.0.255 on a
Cisco router.
An abettor allegory lets you specify a anchorage or anchorage ambit and is used
with the tcp or udp agreement keywords.To specify all ports, do not specify an
operator and port. Use eq to specify a distinct port. Use gt to specify all ports
greater than the defined port. Use neq to specify all ports except a given
number. Finally, use ambit to ascertain a specific ambit of ports.The anchorage can be
specified application either a cardinal or a accurate name.A account of accurate anchorage names is
presented in Table 3.2.
Table 3.2 Accurate Anchorage Names and Values
Name Anchorage Protocol
bgp 179 tcp
biff 512 udp
bootpc 68 udp
bootps 67 udp
chargen 19 tcp
citrix-ica 1494 tcp
cmd 514 tcp
daytime 13 tcp
discard 9 tcp/udp
dnsix 195 udp
www.syngress.com
Continued
Passing Cartage • Chapter 3 103
Name Anchorage Protocol
domain 53 tcp/udp
echo 7 tcp/udp
exec 512 tcp
finger 79 tcp
ftp 21 tcp
ftp-data 20 tcp
gopher 70 tcp
h323 1720 tcp
http 80 tcp
hostname 101 tcp
ident 113 tcp
irc 194 tcp
isakmp 500 udp
klogin 543 tcp
kshell 544 tcp
login 513 tcp
lpd 515 tcp
mobile-ip 434 udp
nameserver 42 udp
netbios-dgm 138 udp
netbios-ns 137 udp
nntp 119 tcp
ntp 123 udp
pim-auto-rp 496 tcp/udp
pop2 109 tcp
pop3 110 tcp
radius 1645, 1646 udp
rip 520 udp
smtp 25 tcp
snmp 161 udp
snmptrap 162 udp
sqlnet 1521 tcp
www.syngress.com
Table 3.2 Continued
Continued
104 Chapter 3 • Passing Traffic
Name Anchorage Protocol
sunrpc 111 tcp/udp
syslog 514 udp
tacacs 49 tcp/udp
talk 517 tcp/udp
telnet 23 tcp
tftp 69 udp
time 37 udp
uucp 540 tcp
who 513 udp
whois 43 tcp
www 80 tcp
xdmcp 177 tcp
Note that the system-defined anchorage mapping of http is the aforementioned as www and is
silently translated in the configuration.The icmp_type constant allows you to
permit or abjure admission to ICMP bulletin types. A account of ICMP bulletin types can
be begin in Table 3.3.
Table 3.3 ICMP Bulletin Types
ICMP Type Literal
0 echo-reply
3 unreachable
4 source-quench
5 redirect
6 alternate-address
8 echo
9 router-advertisement
10 router-solicitation
11 time-exceeded
12 parameter-problem
13 timestamp-reply
14 timestamp-request
www.syngress.com
Table 3.2 Continued
Continued
Passing Cartage • Chapter 3 105
ICMP Type Literal
15 information-request
16 information-reply
17 mask-request
18 mask-reply
31 conversion-error
32 mobile-redirect
After configuring the admission list, you charge administer it to an interface application the
following command:
access-group
The name associated with an admission account is defined as acl_name, admitting the
name of the interface that the admission account will use to adviser entering cartage is
specified by if_name. An activated admission account denies or permits cartage as it enters the
PIX on the defined interface.
NOTE
Access lists on the PIX firewall can alone be activated to cartage entering
an interface, not cartage that is departure an interface. This is clashing Cisco
routers, on which admission lists can be activated in either direction.
Access lists on the PIX firewall accept an absolute abjure all at the end.This
means that unless cartage has been accurately acceptable aural the admission list, it
will be denied by the adumbrated deny-all that follows the aftermost admission in every access
list.This provides added aegis by bold that cartage not absolutely recognized
is to be denied. If there are errors in the configuration, the amiss traffic
may be acceptable or denied. Since admission lists are candy sequentially from top
to bottom, a PIX ambassador can actualize actual circuitous admission lists artlessly by following
the breeze of what should and should not be allowed. Alone one admission list
at a time can be activated to an interface.
Let’s now attending at Secure Corp., which has aloof purchased a new PIX firewall
for its arrangement in New York, as credible in Figure 3.3. All the servers that the
company hosts at the site, as able-bodied as all the audience aural the network, are located
www.syngress.com
Table 3.3 Continued
106 Chapter 3 • Passing Traffic
on the central interface of the PIX.The armpit uses a distinct arrangement with the address
space of 192.168.0.0/22.The ISP has assigned the 10.1.1.0/24 attainable arrangement to
use.
The company’s requirements are that the audience alone be able to admission the
Internet with their Web browsers. Company servers may accept complete access
to the Internet.The architecture of an admission account should alpha with a analogue of what
is activity to be accustomed and again advance to what is activity to be denied. In this
example, the admission account will accept to acquiesce audience in the 192.168.2.0/24 ambit to
access any Internet server on TCP anchorage 80.Then, the admission account will acquiesce the
three listed servers able admission to the Internet.The afterward commands
accomplish this result:
PIX1(config)# access-list inside_in admittance tcp 192.168.2.0 255.255.255.0 any
eq 80
PIX1(config)# access-list inside_in admittance ip 192.168.1.1 255.255.255.255 any
PIX1(config)# access-list inside_in admittance ip 192.168.1.2 255.255.255.255 any
PIX1(config)# access-list inside_in admittance ip 192.168.1.3 255.255.255.255 any
PIX1(config)# access-group inside_in in interface inside
A acceptable convenance is to add an absolute abjure all account to the end of an access
list so you bethink it is there back you do a appearance access-list command.You can
see how abounding packets accept been alone application the hitcnt counter:
www.syngress.com
Figure 3.3 The Secure Corporation Admission Account Example
Email Server
192.168.1.1
Web Server
192.168.1.2
DNS Server
192.168.1.3
Clients
192.168.2.0 - .254
Inside - 192.168.1.254
Outside - 10.1.1.254
Internet
Passing Cartage • Chapter 3 107
PIX1(config)# access-list inside_in abjure ip any any
PIX1(config)# exit
PIX1# appearance access-list
access-list inside_in; 4 elements
access-list inside_in admittance tcp 192.168.2.0 255.255.255.0 any eq www
(hitcnt=2)
access-list inside_in admittance ip host 192.168.1.1 any (hitcnt=0)
access-list inside_in admittance ip host 192.168.1.2 any (hitcnt=0)
access-list inside_in admittance ip host 192.168.1.3 any (hitcnt=0)
access-list inside_in abjure ip any any (hitcnt=40)
Best aegis practices behest that about attainable servers should not be
located on the central network; instead, they should be amid on a DMZ network.
The DMZ provides an added band of aegis and controls the risks associated
with a about attainable server. If the server becomes compromised, it is
possible to accommodate the accommodation to the DMZ and still assure central clients.
However, if the arrangement is set up as in the antecedent archetype and the server
becomes compromised, there is actual little that can be done to stop that server
from compromising the absolute centralized arrangement (you can shut the server bottomward or
disconnect it). Keep this architecture convenance in mind. Figure 3.4 shows a revised network
layout.
www.syngress.com
Figure 3.4 Secure Corporation Revised Arrangement Layout
Email Server
192.168.1.1
Web Server
192.168.1.2
DNS Server
192.168.1.3
Clients
192.168.2.0/24
DMZ - 192.168.1.1
Outside - 10.1.1.254
Internet
Inside- 192.168.2.1
108 Chapter 3 • Passing Traffic
It is credible that the arrangement requirements accept changed, because services
the audience acclimated to admission after activity through the firewall now charge to be
added to the admission lists. Clashing the admission account created previously, the servers
should not be accustomed to admission any IP abode after restriction. A DMZ access
list should be created that banned the casework that the servers are able to use. If
these servers become compromised, you appetite to absolute their infection of your networks.
The commands to actualize and administer these admission lists are:
PIX1(config)# access-list inside_in admittance tcp 192.168.2.0 255.255.255.0
any eq www
PIX1(config)# access-list inside_in admittance tcp 192.168.2.0 255.255.255.0
192.168.1.1 eq smtp
PIX1(config)# access-list inside_in admittance tcp 192.168.2.0 255.255.255.0
192.168.1.1 eq pop3
PIX1(config)# access-list inside_in admittance udp 192.168.2.0 255.255.255.0
192.168.1.3 eq domain
PIX1(config)# access-list inside_in admittance tcp 192.168.2.0 255.255.255.0
192.168.1.3 eq domain
PIX1(config)# access-list inside_in abjure ip any any
PIX1(config)# access-group inside_in in interface inside
PIX1(config)# access-list dmz_in admittance tcp 192.168.1.1 255.255.255.255
any eq smtp
PIX1(config)# access-list dmz_in admittance udp 192.168.1.3 255.255.255.255
any eq domain
PIX1(config)# access-list dmz_in admittance tcp 192.168.1.3 255.255.255.255
any eq domain
PIX1(config)# access-list dmz_in abjure ip any any
PIX1(config)# access-group dmz_in in interface dmz
It is important to agenda that we accept not yet covered how to configure
inbound access.The above-mentioned admission account alone allows these servers to admit contact
with added servers—as a applicant would do. For example, the e-mail server can
send mail to addition domain, but it cannot accept it.The DNS server can
resolve area advice from addition domain, but it cannot acknowledge to
queries from added domains.The “Allowing Entering Traffic” area of this
chapter covers in detail how entering admission is enabled.
One actual advantageous affection in configuring the PIX is the name command.This
command allows you to ascertain a name alias to an IP abode so that during
www.syngress.com
Passing Cartage • Chapter 3 109
configuration, instead of referencing a host by its IP address, the host can be referenced
by a name.This affection is advantageous during circuitous configurations, because
a anecdotic name eases agreement and troubleshooting.The syntax for the
command is:
name
For example, the afterward command maps the name mail to the IP address
10.1.1.10:
PIX1(config)# name 10.1.1.10 mail
The name mail can now be acclimated in admission lists instead of an IP address.When
you annul a name entry, all references to it in an admission account backslide to the IP
addresses. Be abiding the name account is the aftermost affair you abolish during a
clean-up.