topic PIX 501 - change fixup, name and access-list entries in Network Security

PIX 501 - change fixup, name and access-list entries

DAVMAC111 — Mon, 11 Mar 2019 10:15:22 GMT

As stated in my first post, I am attempting to reconfigure an inherited PIX 501 firewall and working backwards, in other words, changing the previous configuration and eliminating un-needed elements.

FIXUP PROTOCOL

What are these entries for?

Some protocols appear familiar, others less so.

Can I leave them as is?

fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

NAMES

Most of these pertain to the previous organization and are of no value to me. Can I eliminate these references? If so, how?

clear names?

no name - for individual entries?

I DO notice that they seem to be used as a sort of an alias in the access-list section, replacing the complete IP address.

name x.x.x.17 XX

name x.x.x.18 Pix-Out

name x.x.x.19 GWMail-Out

name 10.10.1.1 Pix-In

name 10.10.1.11 GWMail-In

name 10.10.1.12 NPSPRO

name x.x.x.21 pcaw

name x.x.x.22 Free2

ACCESS LIST - with my questions and commentary

access-list acl-out permit icmp any any

OK - permit outbound icmp traffic - makes sense

access-list acl-out permit tcp any host GWMail-Out eq smtp

access-list acl-out permit tcp any host GWMail-Out eq www

access-list acl-out permit udp any host GWMail-Out eq ntp

access-list acl-out permit tcp any host GWMail-Out eq 7205

THE above entries allow outbound traffic to indicated host - but I want to either eliminate or modify them. For the time being, I only need either all outbound or www outbound - I'll figure out the rest myself later.

access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0

255.255.255.0

THIS has to do with NAT - I will need to reconfigure with my info.

access-list acl-in permit tcp host GWMail-In any eq smtp

access-list acl-in deny tcp any any eq smtp

access-list acl-in permit ip any any

LAST entry worries me... isn't it allowing all inbound?

MOST IMPORTANT - I want to make sure I do not lock myself out by blocking telnet access from the LAN.

Thank you in advance - response to my first post was excellent.

David

Re: PIX 501 - change fixup, name and access-list entries

acomiskey — Wed, 16 May 2007 16:56:21 GMT

You cannot say which direction your acl is without looking at the corresponding access-group statement.

Most likely acl-in is outbound traffic, or into inside interface (access-group acl-in in interface inside). This acl is allowing only your mail server to send outbound smtp traffic.

acl-out is most likely inbound traffic, or into outside interface (access-group acl-out in interface outside). This is allowing traffic from outside to your mail server.

access-list acl-out permit icmp any any

"OK - permit outbound icmp traffic - makes sense"

No, this is allowing icmp inbound from outside to inside.

Re: PIX 501 - change fixup, name and access-list entries

acomiskey — Wed, 16 May 2007 16:57:57 GMT

This one is most likely defining nat exemption for a vpn.

access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0

Re: PIX 501 - change fixup, name and access-list entries

acomiskey — Wed, 16 May 2007 17:04:20 GMT

To remove names

Usage: [no] name

Re: PIX 501 - change fixup, name and access-list entries

DAVMAC111 — Wed, 16 May 2007 17:49:17 GMT

It looks like I have this all backwards then...

I'm going to have to find documentation on the access-list entries.

As I said in my first post, this is the first time I'm working with a Cisco device and with the CLI on top of it, so I'm not really surprised.

At any rate, thanks for steering me back onto the right track.

Re: PIX 501 - change fixup, name and access-list entries

mukeshdang — Wed, 16 May 2007 19:02:28 GMT

fixup is used for layer 4 inspection of traffic. (for example - if you want to block smtp message larger than 1 Meg, you would use this method).

My recommendation would be to leave the fixups in place unless you are having an issue with that specific protocol. (If you don't use a protocol than you can remove its fixup). I would remove fixup smtp unless there is some good reason for it. We had issues with it.

To remove any fixup, just prefix the entire line with 'no'. For example:

no fixup protocol smtp 25