Checking Access

Checking Access

The PIX firewall provides several mechanisms for authoritative admission through it. In

this section, we awning several of these mechanisms and altercate some means to monitor

and verify their functionality.The absence accompaniment of the PIX firewall is to permit

access to sessions originated from a college security-level interface to a lower

security-level interface, as continued as a adaptation is configured.Traffic that originates

from a low security-level interface to a aerial security-level interface has to be

specifically acceptable appliance conduits or admission lists (and of course, translations).

www.syngress.com

584 Chapter 10 • Troubleshooting and Performance Monitoring

The aqueduct command is a appropriate anatomy of an admission list. It is acclimated to permit

traffic from a lower security-level interface to a college security-level interface.

Figure 10.20 shows several accepted admission scenarios with assorted hosts needing

access to anniversary other.The Web applicant (security akin 0) will be accessing the Web

server (security akin 50); the absence behavior of the PIX firewall is to forbid

such traffic.The workstation (security akin 100) needs to admission Internet

resources appliance the alfresco network.The amount additionally provides the configuration

necessary to accredit the admission bare by the assorted hosts and servers, which are

denoted A, B, and C for affluence of discussion.The acceptance is that all translation

parameters accept been configured and are alive correctly, which enables us to

focus on specific admission issues.The addresses credible are acclimated for discussion, but in

your mind, accept that they accept been translated.

The Web server needs to be prevented from basic sessions to networks

located off the DMZ arrangement but charge be able to acknowledge to account requests

from the Web applicant amid on the alfresco network.To achieve this goal, we

www.syngress.com

Figure 10.20 Admission Scenario

RTR1

! A. Anticipate Web server from basic traffic, but enable

responses to clients. (deny outbound admission for server)

access-list 99 abjure ip host 192.168.1.2 any

access-group 99 in interface dmz

access-list 100 admittance ip any any

! B. Accredit Web Applicant to authorize affair to Web Server

conduit admittance tcp host 192.168.4.2 host 192.168.1.2 eq www

OR

access-list 100 admittance tcp host 192.168.4.2 host 192.168.1.2 eq www

access-group 100 in interface outside

! C. Accredit workstation to admission assets on Internet.

(no appropriate agreement all-important to accredit aerial to low access.)

DMZ - 50

PIX1

192.168.3.2/24

Outside - 0

192.168.3.0/30

192.168.3.1/24

192.168.1.0/24 192.168.1.1/24

Web Client

192.168.4.2

Web Server

192.168.1.2

Needs admission to

192.168.1.2

192.168.2.0/24

Inside - 100

Workstation

192.168.2.2 Needs to access

Internet.

Does not charge to originate

outbound traffic, but does need

to acknowledge to clients.

192.168.2.1/24

A

B

C

192.168.4.1/24

Troubleshooting and Performance Monitoring • Chapter 10 585

created an admission account to abjure 192.168.1.2 from accessing annihilation and activated it

to the DMZ interface.Then we created a aqueduct to admittance 192.168.4.2 to

access Web casework (TCP anchorage 80) on 192.168.1.2. Alternatively, we could have

used an admission account to achieve the aforementioned thing, as credible in Amount 10.20.The

option to use admission lists instead of conduits is accessible alone on PIX firewall software

versions 5.1 and later. It is important to agenda that Cisco recommends that

you abstain bond admission lists and conduits. Additionally, admission lists booty precedence

over conduits. In the PIX environment, admission lists accept one and alone one

direction: in.The access-group command applies the admission account to cartage coming

into the appointed interface.

The central workstation (denoted by C) needs to be able to admission resources

on the Internet.The central interface has a aegis akin of 100, the accomplished possible

security level. Recall that hosts on college security-level interfaces can access

hosts on lower security-level interfaces afterwards any appropriate agreement to

permit responses to return.This is absolutely the case with this workstation, so we

need no appropriate configuration.

Problems with abridgement of admission become credible back machines are unreachable.

Since admission ascendancy mechanisms such as admission lists and conduits accept a

close commutual accord with translation, you should validate the

translation agreement first. Once that is confirmed, activate your admission troubleshooting.

Access problems can accommodate typos, ever akin or apart admission lists

or conduits, the amiss networks actuality denied or acceptable access, or admission lists

applied to the amiss interface. Here we authenticate several commands that you

can use to verify access.

Recall that a aqueduct is a aperture in your firewall aegis that permits hosts on

a lower aegis akin admission to assets on a college aegis level.The main

command for acceptance aqueduct agreement is appearance conduit. For example:

PIX1# appearance conduit

conduit admittance tcp host 192.168.4.2 host 192.168.1.2 eq www (hitcnt=3)

This aqueduct permits 192.168.4.2 to admission the Web server at 192.168.1.2.

This is the alone PIX command for blockage conduits.With the advantage provided

in adaptation 5.1 to use admission lists instead, conduits are gradually actuality phased out

in favor of the added accepted admission lists.When that happens, you can abolish all

conduit ambit from your PIX firewall agreement appliance the bright conduit

command.This is a hardly schizophrenic command, depending on area it is it

used. If acclimated at the advantaged command alert as bright aqueduct counters, it

“zeroizes” the hit counter. If bright aqueduct is acclimated in the Agreement mode, it

removes all aqueduct statements from the PIX firewall configuration.

www.syngress.com

586 Chapter 10 • Troubleshooting and Performance Monitoring

Access lists, addition admission ascendancy mechanism, action added troubleshooting

tools than conduits do.The appearance access-list command can be acclimated to confirm

which admission lists are configured on the PIX firewall and what they are permitting

and denying:

PIX1# appearance access-list

access-list 99; 2 elements

access-list 99 abjure ip host 192.168.1.2 any (hitcnt=1)

access-list 99 admittance ip any any (hitcnt=0)

access-list 100 admittance tcp host 192.168.4.2 host 192.168.1.2

eq www

(hitcnt=5)

This command was accomplished on the firewall in Amount 10.20. Recall that an

access account alone affects admission cartage to an interface. Once you accept confirmed

that the admission account is configured as it should be, the abutting troubleshooting footfall is to

verify that it has been activated to the actual interface. Cisco provides the show

access-group command for this purpose. For example:

PIX1# appearance access-group

access-group 99 in interface dmz

access-group 100 in interface outside

The in keyword is binding and serves as a admonition that the admission account is

applied alone to cartage advancing into the interface. Cisco provides a alter command

for troubleshooting admission account contest as they occur. Be acquainted that back you

use this command, it debugs all admission lists.There is no advantage to do real-time

monitoring of a accurate admission list.This can accomplish copious amounts of data,

especially if you assassinate it on a high-traffic PIX firewall. As with any alter command,

use it sparingly and alone if you apperceive what you are analytic for.The debug

access-list command can accommodate acknowledgment on your admission account and whether it is permitting

or abstinent the cartage that it should.The command syntax is as follows:

debug access-list {all | accepted | turbo}

Another admission ascendancy apparatus is outbound/apply, but Cisco recommends

that it not be used. Cisco recommends that you use the admission account appearance of the

PIX firewall instead.The outbound/apply commands were the forerunner to the

access account affection and are still accessible and accurate by the PIX firewall software.

However, these commands ache from a actual awkward syntax, are fairly

limited, and can be arresting to troubleshoot.The outbound command was

designed to ascendancy admission of central users to alfresco resources. Having said all

www.syngress.com

Troubleshooting and Performance Monitoring • Chapter 10 587

that, a alive acquaintance with the command is accessible for back you encounter

situations in which it is still used.The syntax for the outbound command is as

follows:

outbound {permit | abjure | except} [] [

[-]] [tcp | udp| icmp]

The ID constant specifies a different identifier for the outbound list.You can

either configure a admittance rule, a abjure rule, or an except aphorism (which creates an

exception to a antecedent outbound command). Unlike admission lists, outbound lists

are not candy from top to bottom. Anniversary band is parsed behindhand of whether

there is a bout or not. Cisco recommends that all outbound lists alpha with a

deny all (deny 0 0 0), followed by specific statements acceptance access.The net

effect is cumulative. How the PIX firewall uses the outbound account depends on the

syntax of the administer command:

apply [] {outgoing_src | outgoing_dest}

When the outgoing_src constant is used, the antecedent IP address, destination

port, and agreement are filtered.When the outgoing_dst constant is used, the destination

IP address, port, and agreement are filtered. It is basic you accept that

the outbound account does not actuate whether the IP abode it uses is either a

source or a destination; the administer command does that.This can be a major

troubleshooting cephalalgia because an outbound account could be configured correctly

but ability not assignment because the administer command is configured incorrectly.When

troubleshooting outbound, ensure that you analysis the administer agreement as well.

When assorted rules bout the aforementioned packet, the aphorism with the best bout is

used.The best-match aphorism is based on the netmask and anchorage range.The stricter

the IP abode and the abate the anchorage range, the bigger a bout it is. If there is a

tie, a admittance advantage takes antecedence over a abjure option.

Here is an archetype of outbound/apply:

PIX1(config)# outbound 99 abjure 0 0 0

PIX1(config)# outbound 99 admittance 0.0.0.0 0.0.0.0 1-1024 tcp

PIX1(config)# outbound 99 except 192.168.2.0 255.255.255.0

PIX1(config)# administer (inside) 99 outgoing_src

In this example, the aboriginal account denies all traffic, the additional band permits

any host admission to TCP ports 1-1024 on any host, and the third band denies the

192.168.2.0/24 arrangement from admission to any TCP ports acceptable by the second

line.We are appliance the outgoing_src keyword, acceptation that the IP addresses referenced

are antecedent addresses.

www.syngress.com

588 Chapter 10 • Troubleshooting and Performance Monitoring

Cisco alone provides a few commands for blockage outbound/apply parameters.

First, do not balloon to do a bright xlate afterwards configuring outbound/apply. Use

show outbound to appearance the outbound lists that are configured.The appearance apply

command identifies the interfaces and administration to which the outbound lists have

been applied. No alter commands are associated with outbound/apply. Given that

access lists accept now abolished outbound/apply, you would be bigger served in

terms of both agreement and abutment to use them instead. Not alone do access

lists accommodate to the accepted Cisco syntax, they additionally action bigger and easier-tounderstand

filtering.

One affection does not assume to be admission related, but back it curtails the operations

of called protocols, one can altercate that admission to assertive appearance of the

“protected” agreement accept been negated. As discussed in Chapter 4, the PIX

firewall software provides appliance analysis appearance through the fixup command.

There is a accepted set of protocols for which the fixup adequacy is enabled

automatically, such as HTTP, SMTP, FTP, and so on.This agreement sometimes disables

certain commands or appearance in the ambition protocols to anticipate malicious

misuse.To actuate for which protocols fixup is enabled, run the appearance fixup

command. For example:

PIX1# appearance fixup

fixup agreement ftp 21

fixup agreement http 80

fixup agreement h323 h225 1720

fixup agreement h323 ras 1718-1719

fixup agreement ils 389

fixup agreement rsh 514

fixup agreement rtsp 554

fixup agreement smtp 25

fixup agreement sqlnet 1521

fixup agreement sip 5060

fixup agreement angular 2000