Access Rules cisco systems

Access Rules

For a abundant account of these rules, let’s abide with our exercise, and

permit Web and mail cartage to our archetype hosts.To admittance admission to the internal

mail server, baddest Add from the Rules drop-down menu.The Add Rule

window looks agnate to Figure 9.57.

www.syngress.com

Figure 9.57 Add Admission Rule

514 Chapter 9 • PIX Device Manager

From the Add Aphorism window, there are four accepted areas you charge configure.

First, you charge actuate whether to admittance or abjure admission with the rule. For

this example, baddest admittance from the Baddest an activity pull-down menu. Next,

you charge specify antecedent and destination information. Antecedent and destination

information can be in the anatomy of IP addresses, names, or article groups. For this

exercise, let’s acquiesce anyone to admission our mail server. In the Antecedent Host/Network

section of the Add Aphorism window, bang the IP abode radio button. From the

Interface pull-down menu, baddest alfresco and accumulate the IP abode and Mask

fields populated, as apparent in Figure 9.57. Doing so specifies all accessible networks

arriving on the firewall’s alien interface.

Next, specify the mail server in the Destination Host/Network area of the

Add Aphorism window. Bang the IP abode radio button and baddest central from the

Interface pull-down list. Bang the Browse button and baddest the mail object

from the popup window.

Now that we accept bent the antecedent and destination to admittance access,

let’s configure the specific protocols and casework to allow. Since this is a mail

server, we should acquiesce TCP anchorage 25 (SMTP). Let’s additionally admittance TCP anchorage 993

(Secure IMAP) so that our users can deeply admission their mail from alien locations.

Previously, we would crave two abstracted admission rules to admittance these two

services. However, new functionality in the PIX firewall permits the accumulation of

service accumulation objects.This adeptness streamlines aphorism aliment and facilitates

more able aphorism processing. So, afore abacus protocols and casework to our

rule, let’s configure a mail account group.

Click the Manage Account Groups button to admission the Manage Service

Groups window, as apparent in Figure 9.58. Alternatively, you can admission the

Manage Account Groups window by selecting Manage Groups from the Tools

menu of the capital PDM screen.

From this window, you can actualize groups of TCP, UDP, and TCP-UDP services

to be activated on admission rules. Add a new TCP account accumulation by beat the

TCP radio button and again the Add button.The Add Account window appears

and is agnate to the window apparent in Figure 9.59.

From this window, specify a Account Accumulation Name and add specific services

to the group:

1. Blazon MailServices in the Account Accumulation Name field; optionally,

enter a description in the Description field.The PIX includes many

common predefined casework for use in account groups. From this list,

scroll down, baddest smtp, and bang the Add button.

www.syngress.com

PIX Device Manager • Chapter 9 515

www.syngress.com

Figure 9.58 The Manage Account Groups Window

Figure 9.59 The Add Account Window

516 Chapter 9 • PIX Device Manager

2. We charge to add a custom account for defended IMAP because it is not predefined

as a service.To do so, bang the Range/Port # radio button and

type 993 in the aboriginal field. Ranges of ports can additionally be created, but secure

IMAP alone requires TCP anchorage 993.

3. Bang the Add button to add the new account to the Casework Group

window on the left.

4. Bang OK to add the accumulation to acknowledgment to the Manage Account Groups

window.

5. From the Manage Account Groups window, bang Apply to PIX and

return to the Add Aphorism window.

Now that we accept accustomed a Account Group, let’s add it to the mail server

rule. In the Protocol and Account area of the Add Aphorism window, bang the

TCP radio button. Since the antecedent anchorage will be random, leave the Antecedent Port

section as is, with Account = Any. In the Destination Anchorage section, bang the

Service Accumulation radio button and baddest MailServices from the pull-down list.

NOTE

You ability be appropriate to brace the PDM agreement before

configuring a afresh added Account Accumulation in a rule.

Click OK to acknowledgment to the Admission Rules screen.

For practice, add a additional admission aphorism for the centralized Web server.This time,

instead of allegorical an alone IP abode from the Destination

Host/Network area on the Add Aphorism window, bang the Accumulation radio button

and baddest WebServers from the pull-down list.This best designates any object

included in the WebServers accumulation we added in antecedent contest and simplifies

rule maintenance. In the Protocol and Account area of the Add Aphorism window,

click the Account radio button and blazon http in the field. Alternatively, you can

click the … button and baddest http from the casework popup list.When finished,

click OK to add the aphorism and acknowledgment to the Admission Rules window.The Access

Rules tab window should now appear; it is agnate to Figure 9.60.

After applying the new rules to the PIX firewall, mail and Web services

should be acceptable to your new servers through the firewall. Next, let’s quickly

look at the actual rules screens, AAA Rules and Filter Rules.