• cisco pix: introduction
  
• cisco pix: introduction cont
  
• cisco pix: basic pix configuration
  
• cisco pix: basic pix configuration cont
  
• cisco pix: tcp, udp, nat, pat, and pd
  

• cisco pix: tcp, udp, nat, pat, and pd 2
  
• cisco pix: tcp, udp, nat, pat, and pd 3
  
• cisco pix: tcp, udp, nat, pat, and pd 4
  
• cisco pix: configuring site to site vpn's
  
• cisco pix: configuring site to site vpn's 2
  

• cisco pix: configuring site to site vpn's 3
  
• cisco pix: configuring site to site vpn's 4
  
• cisco pix: configuring site to site vpn's 5
  
• cisco pix: access control lists and content filtering
  
• cisco pix: access control lists and content filtering 2
  

• cisco pix: access control lists and content filtering 3
  
• cisco pix: object grouping for quick and easy acl's
  
• cisco pix; slightly advanced configuration
  
• cisco pix: slightly advanced configuration 2
  
• cisco pix: slightly advanced configuration 3
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CISCO PIX: ACCESS CONTROL LISTS AND
CONTENT FILTERING CONT...

Modifying ACL’s

Obviously we are not going to get the ACL’s correct first time and they are not going to remain unchanged for the lifetime of the firewall. ACL’s on the PIX or given consecutive line numbers, to allow us to change, add or remove Access Control Entries (ACE) without having to change the entire ACL.

An ACL is made up of one or more ACE’s.

If we issue the ‘sh access-list’ command the output will be along the lines of:

Code:

London(config)# sh access-list
access-list ACLOUT line 2 permit tcp any host 80.80.80.80 eq www (hitcnt=0)
access-list ACLOUT line 3 permit udp any any (hitcnt=0)
access-list ACLOUT line 4 permit tcp any any eq ftp (hitcnt=0)
access-list ACLOUT line 5 permit tcp any any eq https (hitcnt=0)


**The hitcnt (hit count) shows us how many times that specific ACE has been used by the PIX which gives us the best indication of if they are being used or not.**

The PIX automatically adds the line numbers for the ACE’s and requires no configuration from the administrator.

**The line numbers are only displayed when you issue the sh access-list command and will not appear when you view the running or startup configuration**

So say we add a new web server with the IP of 80.80.80.81, we need to be able to add the ACE without taking down the whole ACL.

Here is what we do:

Code:

London(config)# access-list ACLOUT line 3 permit tcp any host 80.80.80.81 eq www


This would add the ACE to the ACL at line 3 and push the other ACE’s down one (unlike a router where this command would overwrite the existing ACE)

Code:

London(config)# sh access-list
access-list ACLOUT line 2 permit tcp any host 80.80.80.80 eq www (hitcnt=0)
access-list ACLOUT line 3 permit tcp any host 80.80.80.81 eq www (hitcnt=0)
access-list ACLOUT line 4 permit udp any any (hitcnt=0)
access-list ACLOUT line 5 permit tcp any any eq ftp (hitcnt=0)
access-list ACLOUT line 6 permit tcp any any eq https (hitcnt=0)


Or if we decide we don’t need a particular ACE anymore we use the ‘no’ command to remove it from the ACL.

Code:

London(config)# no access-list ACLOUT line 3 permit tcp any host 80.80.80.81 eq www


Remarks
When a lot of ACE’s are configured in an ACL viewing and administering them can become very hard indeed, especially when you are looking for a certain ACE to alter. For this reason Cisco have given us the option to add a remark to an ACE to better explain to us or subsequent administrators what the ACE is for.

Code:

London(config)# access-list ACLOUT line 1 remark BILLING WEB SERVER ACE
London(config)# access-list ACLOUT line 3 remark ORDERING WEB SERVER ACE


Code:

London(config)# sh access-list
Access-list ACLOUT line 1 remark BILLING WEB SERVER ACE
access-list ACLOUT line 2 permit tcp any host 80.80.80.80 eq www (hitcnt=0)
access-list ACLOUT line 3 remark ORDERING WEB SERVER ACE
access-list ACLOUT line 4 permit tcp any host 80.80.80.81 eq www (hitcnt=0)
access-list ACLOUT line 5 permit udp any any (hitcnt=0)
access-list ACLOUT line 6 permit tcp any any eq ftp (hitcnt=0)
access-list ACLOUT line 7 permit tcp any any eq https (hitcnt=0)


As you can see in the above output the remark is inserted above the ACE it is remarking about and all the subsequent line numbers are incremented by one. This is a good example as to why anything like this should be wrote in capitals, as it stands out straight away for us.

A remark can be up to 100 characters long.

ICMP

ICMP can be configured in pretty much everyway imaginable on the PIX.

By default pinging through the PIX to a PIX interface is not allowed but pinging an interface from a host attached to that interface is permitted. So for example a host on the internal network can ping the INSIDE interface but not the OUTSIDE interface.

It is recommended to permit ICMP type 3 messages (destination unreachable) as denying this type 3 ICMP disables the ICMP MTU discovery which can cause IPSec and PPTP traffic to fail.

To allow ICMP we use the following command:

Code:

London(config)# icmp permit any echo-reply outside
London(config)# icmp permit any unreachable outside


The syntax for the ICMP commands is:

icmp {permit | deny} Source Address Source mask {icmp type} {interface name}

So

icmp permit 80.80.80.81 255.255.255.255 echo outside
icmp deny any redirect outside

And so on.

You can find a list of all the different ICMP types here:
http://www.iana.org/assignments/icmp-parameters

To remove all ICMP configurations use the ‘clear icmp’ command:

Code:
London(config)# clear icmp

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on October 6th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.