Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1087
Views
3
Helpful
15
Replies

How ACL's in PIX are processed (best fit?)

l.mourits
Level 5
Level 5

‎04-29-2003 06:56 AM - edited ‎02-20-2020 10:42 PM

There seem to be a lot of misunderstanding in how the PIX firewall processes the ACL's. I always thought I did understand it, because I always been told that the PIX did process the whole ACL and selects the best fit. But, since today I do not understand. Why? Well, I have the following problem.

I have bound an inside_in access-list to the inside interface (why? because I don't follow the defaulkt policy that all outside traffic is considers save, thinking of trojans et cetera. This said here the discription to my problem.

Our customers will have only access to the web via a proxy-server, with some exeptions made for some engineers. The access-list bound to the inside interface looked like this:

access-list inside_in permit tcp host <ip-address_engineer1> any eq http

access-list inside_in permit tcp host <ip-address_engineer2> any eq http

access-list inside_in permit tcp host <ip-address_proxyserver> any eq http

access-list inside_in deny tcp any any eq http

access-list inside_in permit ip any any

This access-list worked fine, but the I tried to build it up a bit, by providing some users ftp access and denying all other traffic. So, I extended the list to the following:

access-list inside_in permit tcp host <ip-address_engineer1> any eq http

access-list inside_in permit tcp host <ip-address_engineer2> any eq http

access-list inside_in permit tcp host <ip-address_proxyserver> any eq http

access-list inside_in deny tcp any any eq http

access-list inside_in permit tcp host <ip-address_engineer1> any eq ftp

access-list inside_in permit tcp host <ip-address_engineer1> any eq ftp-data

access-list inside_in permit tcp host <ip-address_engineer2> any eq ftp

access-list inside_in permit tcp host <ip-address_engineer2> any eq ftp-data

access-list inside_in deny ip any any

I expected that this kind of ACL would give ftp and http access to the outside, and by putting in the deny ip any any it would deny all other traffic, but much to my surprise, it did not. In fact it did just deny all ip traffic, even http :-(

Now I'm wondering if there's anyone who can explain how this example list would be processed in the PIX. I think the PIX does the following while it processes the access-list:

- first look into all ip based statements

- if there is just one ip statement which defines the packet, and it is a deny, drop it

- if there is just one ip statement which defines the packet, and it is a permit, proces further on

- if there are several ip statements for the packet, select the best fit (whereby permit's are best, because it is from inside to outside and this traffic is normally implicit permitted)

- if there are no statements for this packet, permit the packet (implicit permit)

I just want to know if I'm thinkin right and if there's any good document on Cisco which describes the whole process of best fit for PIX ACL's. I haven't been able to find it in the last four weeks (and since I'm just one of those nerds who wants to know it all, I posted this thread).

Thanx in advance and best regards,

Leo Mourits

Senior network specialist, PinkRoccade (Netherlands)

0 Helpful
15 Replies 15

dro
Level 1
Level 1
In response to l.mourits

‎05-16-2003 09:43 AM

Hi Leo,

I'm not quite sure what your running into. I just setup an outbound filter for a PIX 501 running 6.2(2) in a lab environment and was able to accomplish everything your looking for (as per your posts) without any trouble.

The PIX was setup with the following access-list:

access-list inside_in permit ip host 10.0.0.2 any

access-list inside_in permit tcp host 10.0.0.3 any eq www

access-list inside_in permit tcp any any eq ftp

access-list inside_in permit tcp any any eq ftp-data

access-list inside_in deny ip any any

Everything worked exactly as expected. 10.0.0.2 could send all types of traffic. 10.0.0.3 was able to surf everywhere and use FTP. All other hosts could only surf via the proxy server (10.0.0.2) and use FTP.

I didn't setup any DNS though, I did the tests using IP Addresses only.

You didn't happen to notice any odd errors in your PIX's logging buffer that might account for the issues your seeing? What version of code are you using?

*EDIT*

I posted this before I read Cody Rowland's post..

Passive FTP definately sounds like the problem to me. Quite alot of FTP servers prefer to use a port >1024 to send FTP data, as it allows them to lower their privileges to prevent possible exploitation in the server.

If this were the case, you would be able to connect to the remote host, but any data communication (listing files, sending/receiving files) would be blocked.

Either way, the logs generated from the access-list should point you in the right direction for whats going on.

Regards,

-Joshua

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card