Checking Access
The PIX firewall provides several mechanisms for authoritative admission through it. In
this section, we awning several of these mechanisms and altercate some means to monitor
and verify their functionality.The absence accompaniment of the PIX firewall is to permit
access to sessions originated from a college security-level interface to a lower
security-level interface, as continued as a adaptation is configured.Traffic that originates
from a low security-level interface to a aerial security-level interface has to be
specifically acceptable appliance conduits or admission lists (and of course, translations).
www.syngress.com
584 Chapter 10 • Troubleshooting and Performance Monitoring
The aqueduct command is a appropriate anatomy of an admission list. It is acclimated to permit
traffic from a lower security-level interface to a college security-level interface.
Figure 10.20 shows several accepted admission scenarios with assorted hosts needing
access to anniversary other.The Web applicant (security akin 0) will be accessing the Web
server (security akin 50); the absence behavior of the PIX firewall is to forbid
such traffic.The workstation (security akin 100) needs to admission Internet
resources appliance the alfresco network.The amount additionally provides the configuration
necessary to accredit the admission bare by the assorted hosts and servers, which are
denoted A, B, and C for affluence of discussion.The acceptance is that all translation
parameters accept been configured and are alive correctly, which enables us to
focus on specific admission issues.The addresses credible are acclimated for discussion, but in
your mind, accept that they accept been translated.
The Web server needs to be prevented from basic sessions to networks
located off the DMZ arrangement but charge be able to acknowledge to account requests
from the Web applicant amid on the alfresco network.To achieve this goal, we
www.syngress.com
Figure 10.20 Admission Scenario
RTR1
! A. Anticipate Web server from basic traffic, but enable
responses to clients. (deny outbound admission for server)
access-list 99 abjure ip host 192.168.1.2 any
access-group 99 in interface dmz
access-list 100 admittance ip any any
! B. Accredit Web Applicant to authorize affair to Web Server
conduit admittance tcp host 192.168.4.2 host 192.168.1.2 eq www
OR
access-list 100 admittance tcp host 192.168.4.2 host 192.168.1.2 eq www
access-group 100 in interface outside
! C. Accredit workstation to admission assets on Internet.
(no appropriate agreement all-important to accredit aerial to low access.)
DMZ - 50
PIX1
192.168.3.2/24
Outside - 0
192.168.3.0/30
192.168.3.1/24
192.168.1.0/24 192.168.1.1/24
Web Client
192.168.4.2
Web Server
192.168.1.2
Needs admission to
192.168.1.2
192.168.2.0/24
Inside - 100
Workstation
192.168.2.2 Needs to access
Internet.
Does not charge to originate
outbound traffic, but does need
to acknowledge to clients.
192.168.2.1/24
A
B
C
192.168.4.1/24
Troubleshooting and Performance Monitoring • Chapter 10 585
created an admission account to abjure 192.168.1.2 from accessing annihilation and activated it
to the DMZ interface.Then we created a aqueduct to admittance 192.168.4.2 to
access Web casework (TCP anchorage 80) on 192.168.1.2. Alternatively, we could have
used an admission account to achieve the aforementioned thing, as credible in Amount 10.20.The
option to use admission lists instead of conduits is accessible alone on PIX firewall software
versions 5.1 and later. It is important to agenda that Cisco recommends that
you abstain bond admission lists and conduits. Additionally, admission lists booty precedence
over conduits. In the PIX environment, admission lists accept one and alone one
direction: in.The access-group command applies the admission account to cartage coming
into the appointed interface.
The central workstation (denoted by C) needs to be able to admission resources
on the Internet.The central interface has a aegis akin of 100, the accomplished possible
security level. Recall that hosts on college security-level interfaces can access
hosts on lower security-level interfaces afterwards any appropriate agreement to
permit responses to return.This is absolutely the case with this workstation, so we
need no appropriate configuration.
Problems with abridgement of admission become credible back machines are unreachable.
Since admission ascendancy mechanisms such as admission lists and conduits accept a
close commutual accord with translation, you should validate the
translation agreement first. Once that is confirmed, activate your admission troubleshooting.
Access problems can accommodate typos, ever akin or apart admission lists
or conduits, the amiss networks actuality denied or acceptable access, or admission lists
applied to the amiss interface. Here we authenticate several commands that you
can use to verify access.
Recall that a aqueduct is a aperture in your firewall aegis that permits hosts on
a lower aegis akin admission to assets on a college aegis level.The main
command for acceptance aqueduct agreement is appearance conduit. For example:
PIX1# appearance conduit
conduit admittance tcp host 192.168.4.2 host 192.168.1.2 eq www (hitcnt=3)
This aqueduct permits 192.168.4.2 to admission the Web server at 192.168.1.2.
This is the alone PIX command for blockage conduits.With the advantage provided
in adaptation 5.1 to use admission lists instead, conduits are gradually actuality phased out
in favor of the added accepted admission lists.When that happens, you can abolish all
conduit ambit from your PIX firewall agreement appliance the bright conduit
command.This is a hardly schizophrenic command, depending on area it is it
used. If acclimated at the advantaged command alert as bright aqueduct counters, it
“zeroizes” the hit counter. If bright aqueduct is acclimated in the Agreement mode, it
removes all aqueduct statements from the PIX firewall configuration.
www.syngress.com
586 Chapter 10 • Troubleshooting and Performance Monitoring
Access lists, addition admission ascendancy mechanism, action added troubleshooting
tools than conduits do.The appearance access-list command can be acclimated to confirm
which admission lists are configured on the PIX firewall and what they are permitting
and denying:
PIX1# appearance access-list
access-list 99; 2 elements
access-list 99 abjure ip host 192.168.1.2 any (hitcnt=1)
access-list 99 admittance ip any any (hitcnt=0)
access-list 100 admittance tcp host 192.168.4.2 host 192.168.1.2
eq www
(hitcnt=5)
This command was accomplished on the firewall in Amount 10.20. Recall that an
access account alone affects admission cartage to an interface. Once you accept confirmed
that the admission account is configured as it should be, the abutting troubleshooting footfall is to
verify that it has been activated to the actual interface. Cisco provides the show
access-group command for this purpose. For example:
PIX1# appearance access-group
access-group 99 in interface dmz
access-group 100 in interface outside
The in keyword is binding and serves as a admonition that the admission account is
applied alone to cartage advancing into the interface. Cisco provides a alter command
for troubleshooting admission account contest as they occur. Be acquainted that back you
use this command, it debugs all admission lists.There is no advantage to do real-time
monitoring of a accurate admission list.This can accomplish copious amounts of data,
especially if you assassinate it on a high-traffic PIX firewall. As with any alter command,
use it sparingly and alone if you apperceive what you are analytic for.The debug
access-list command can accommodate acknowledgment on your admission account and whether it is permitting
or abstinent the cartage that it should.The command syntax is as follows:
debug access-list {all | accepted | turbo}
Another admission ascendancy apparatus is outbound/apply, but Cisco recommends
that it not be used. Cisco recommends that you use the admission account appearance of the
PIX firewall instead.The outbound/apply commands were the forerunner to the
access account affection and are still accessible and accurate by the PIX firewall software.
However, these commands ache from a actual awkward syntax, are fairly
limited, and can be arresting to troubleshoot.The outbound command was
designed to ascendancy admission of central users to alfresco resources. Having said all
www.syngress.com
Troubleshooting and Performance Monitoring • Chapter 10 587
that, a alive acquaintance with the command is accessible for back you encounter
situations in which it is still used.The syntax for the outbound command is as
follows:
outbound
[-
The ID constant specifies a different identifier for the outbound list.You can
either configure a admittance rule, a abjure rule, or an except aphorism (which creates an
exception to a antecedent outbound command). Unlike admission lists, outbound lists
are not candy from top to bottom. Anniversary band is parsed behindhand of whether
there is a bout or not. Cisco recommends that all outbound lists alpha with a
deny all (deny 0 0 0), followed by specific statements acceptance access.The net
effect is cumulative. How the PIX firewall uses the outbound account depends on the
syntax of the administer command:
apply [
When the outgoing_src constant is used, the antecedent IP address, destination
port, and agreement are filtered.When the outgoing_dst constant is used, the destination
IP address, port, and agreement are filtered. It is basic you accept that
the outbound account does not actuate whether the IP abode it uses is either a
source or a destination; the administer command does that.This can be a major
troubleshooting cephalalgia because an outbound account could be configured correctly
but ability not assignment because the administer command is configured incorrectly.When
troubleshooting outbound, ensure that you analysis the administer agreement as well.
When assorted rules bout the aforementioned packet, the aphorism with the best bout is
used.The best-match aphorism is based on the netmask and anchorage range.The stricter
the IP abode and the abate the anchorage range, the bigger a bout it is. If there is a
tie, a admittance advantage takes antecedence over a abjure option.
Here is an archetype of outbound/apply:
PIX1(config)# outbound 99 abjure 0 0 0
PIX1(config)# outbound 99 admittance 0.0.0.0 0.0.0.0 1-1024 tcp
PIX1(config)# outbound 99 except 192.168.2.0 255.255.255.0
PIX1(config)# administer (inside) 99 outgoing_src
In this example, the aboriginal account denies all traffic, the additional band permits
any host admission to TCP ports 1-1024 on any host, and the third band denies the
192.168.2.0/24 arrangement from admission to any TCP ports acceptable by the second
line.We are appliance the outgoing_src keyword, acceptation that the IP addresses referenced
are antecedent addresses.
www.syngress.com
588 Chapter 10 • Troubleshooting and Performance Monitoring
Cisco alone provides a few commands for blockage outbound/apply parameters.
First, do not balloon to do a bright xlate afterwards configuring outbound/apply. Use
show outbound to appearance the outbound lists that are configured.The appearance apply
command identifies the interfaces and administration to which the outbound lists have
been applied. No alter commands are associated with outbound/apply. Given that
access lists accept now abolished outbound/apply, you would be bigger served in
terms of both agreement and abutment to use them instead. Not alone do access
lists accommodate to the accepted Cisco syntax, they additionally action bigger and easier-tounderstand
filtering.
One affection does not assume to be admission related, but back it curtails the operations
of called protocols, one can altercate that admission to assertive appearance of the
“protected” agreement accept been negated. As discussed in Chapter 4, the PIX
firewall software provides appliance analysis appearance through the fixup command.
There is a accepted set of protocols for which the fixup adequacy is enabled
automatically, such as HTTP, SMTP, FTP, and so on.This agreement sometimes disables
certain commands or appearance in the ambition protocols to anticipate malicious
misuse.To actuate for which protocols fixup is enabled, run the appearance fixup
command. For example:
PIX1# appearance fixup
fixup agreement ftp 21
fixup agreement http 80
fixup agreement h323 h225 1720
fixup agreement h323 ras 1718-1719
fixup agreement ils 389
fixup agreement rsh 514
fixup agreement rtsp 554
fixup agreement smtp 25
fixup agreement sqlnet 1521
fixup agreement sip 5060
fixup agreement angular 2000