Access Rules
For a abundant account of these rules, let’s abide with our exercise, and
permit Web and mail cartage to our archetype hosts.To admittance admission to the internal
mail server, baddest Add from the Rules drop-down menu.The Add Rule
window looks agnate to Figure 9.57.
www.syngress.com
Figure 9.57 Add Admission Rule
514 Chapter 9 • PIX Device Manager
From the Add Aphorism window, there are four accepted areas you charge configure.
First, you charge actuate whether to admittance or abjure admission with the rule. For
this example, baddest admittance from the Baddest an activity pull-down menu. Next,
you charge specify antecedent and destination information. Antecedent and destination
information can be in the anatomy of IP addresses, names, or article groups. For this
exercise, let’s acquiesce anyone to admission our mail server. In the Antecedent Host/Network
section of the Add Aphorism window, bang the IP abode radio button. From the
Interface pull-down menu, baddest alfresco and accumulate the IP abode and Mask
fields populated, as apparent in Figure 9.57. Doing so specifies all accessible networks
arriving on the firewall’s alien interface.
Next, specify the mail server in the Destination Host/Network area of the
Add Aphorism window. Bang the IP abode radio button and baddest central from the
Interface pull-down list. Bang the Browse button and baddest the mail object
from the popup window.
Now that we accept bent the antecedent and destination to admittance access,
let’s configure the specific protocols and casework to allow. Since this is a mail
server, we should acquiesce TCP anchorage 25 (SMTP). Let’s additionally admittance TCP anchorage 993
(Secure IMAP) so that our users can deeply admission their mail from alien locations.
Previously, we would crave two abstracted admission rules to admittance these two
services. However, new functionality in the PIX firewall permits the accumulation of
service accumulation objects.This adeptness streamlines aphorism aliment and facilitates
more able aphorism processing. So, afore abacus protocols and casework to our
rule, let’s configure a mail account group.
Click the Manage Account Groups button to admission the Manage Service
Groups window, as apparent in Figure 9.58. Alternatively, you can admission the
Manage Account Groups window by selecting Manage Groups from the Tools
menu of the capital PDM screen.
From this window, you can actualize groups of TCP, UDP, and TCP-UDP services
to be activated on admission rules. Add a new TCP account accumulation by beat the
TCP radio button and again the Add button.The Add Account window appears
and is agnate to the window apparent in Figure 9.59.
From this window, specify a Account Accumulation Name and add specific services
to the group:
1. Blazon MailServices in the Account Accumulation Name field; optionally,
enter a description in the Description field.The PIX includes many
common predefined casework for use in account groups. From this list,
scroll down, baddest smtp, and bang the Add button.
www.syngress.com
PIX Device Manager • Chapter 9 515
www.syngress.com
Figure 9.58 The Manage Account Groups Window
Figure 9.59 The Add Account Window
516 Chapter 9 • PIX Device Manager
2. We charge to add a custom account for defended IMAP because it is not predefined
as a service.To do so, bang the Range/Port # radio button and
type 993 in the aboriginal field. Ranges of ports can additionally be created, but secure
IMAP alone requires TCP anchorage 993.
3. Bang the Add button to add the new account to the Casework Group
window on the left.
4. Bang OK to add the accumulation to acknowledgment to the Manage Account Groups
window.
5. From the Manage Account Groups window, bang Apply to PIX and
return to the Add Aphorism window.
Now that we accept accustomed a Account Group, let’s add it to the mail server
rule. In the Protocol and Account area of the Add Aphorism window, bang the
TCP radio button. Since the antecedent anchorage will be random, leave the Antecedent Port
section as is, with Account = Any. In the Destination Anchorage section, bang the
Service Accumulation radio button and baddest MailServices from the pull-down list.
NOTE
You ability be appropriate to brace the PDM agreement before
configuring a afresh added Account Accumulation in a rule.
Click OK to acknowledgment to the Admission Rules screen.
For practice, add a additional admission aphorism for the centralized Web server.This time,
instead of allegorical an alone IP abode from the Destination
Host/Network area on the Add Aphorism window, bang the Accumulation radio button
and baddest WebServers from the pull-down list.This best designates any object
included in the WebServers accumulation we added in antecedent contest and simplifies
rule maintenance. In the Protocol and Account area of the Add Aphorism window,
click the Account radio button and blazon http in the field. Alternatively, you can
click the … button and baddest http from the casework popup list.When finished,
click OK to add the aphorism and acknowledgment to the Admission Rules window.The Access
Rules tab window should now appear; it is agnate to Figure 9.60.
After applying the new rules to the PIX firewall, mail and Web services
should be acceptable to your new servers through the firewall. Next, let’s quickly
look at the actual rules screens, AAA Rules and Filter Rules.