Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1547
Views
11
Helpful
5
Replies

PIX 501 - change fixup, name and access-list entries

Go to solution
DAVMAC111
Level 1
Level 1

‎05-16-2007 09:49 AM - edited ‎03-11-2019 03:15 AM

As stated in my first post, I am attempting to reconfigure an inherited PIX 501 firewall and working backwards, in other words, changing the previous configuration and eliminating un-needed elements.

FIXUP PROTOCOL

What are these entries for?

Some protocols appear familiar, others less so.

Can I leave them as is?

fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

NAMES

Most of these pertain to the previous organization and are of no value to me. Can I eliminate these references? If so, how?

clear names?

no name - for individual entries?

I DO notice that they seem to be used as a sort of an alias in the access-list section, replacing the complete IP address.

name x.x.x.17 XX

name x.x.x.18 Pix-Out

name x.x.x.19 GWMail-Out

name 10.10.1.1 Pix-In

name 10.10.1.11 GWMail-In

name 10.10.1.12 NPSPRO

name x.x.x.21 pcaw

name x.x.x.22 Free2

ACCESS LIST - with my questions and commentary

access-list acl-out permit icmp any any

OK - permit outbound icmp traffic - makes sense

access-list acl-out permit tcp any host GWMail-Out eq smtp

access-list acl-out permit tcp any host GWMail-Out eq www

access-list acl-out permit udp any host GWMail-Out eq ntp

access-list acl-out permit tcp any host GWMail-Out eq 7205

THE above entries allow outbound traffic to indicated host - but I want to either eliminate or modify them. For the time being, I only need either all outbound or www outbound - I'll figure out the rest myself later.

access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0

255.255.255.0

THIS has to do with NAT - I will need to reconfigure with my info.

access-list acl-in permit tcp host GWMail-In any eq smtp

access-list acl-in deny tcp any any eq smtp

access-list acl-in permit ip any any

LAST entry worries me... isn't it allowing all inbound?

MOST IMPORTANT - I want to make sure I do not lock myself out by blocking telnet access from the LAN.

Thank you in advance - response to my first post was excellent.

David

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎05-16-2007 10:04 AM

To remove names

Usage: [no] name

View solution in original post

0 Helpful
5 Replies 5

Go to solution
acomiskey
Level 10
Level 10

‎05-16-2007 09:56 AM

You cannot say which direction your acl is without looking at the corresponding access-group statement.

Most likely acl-in is outbound traffic, or into inside interface (access-group acl-in in interface inside). This acl is allowing only your mail server to send outbound smtp traffic.

acl-out is most likely inbound traffic, or into outside interface (access-group acl-out in interface outside). This is allowing traffic from outside to your mail server.

access-list acl-out permit icmp any any

"OK - permit outbound icmp traffic - makes sense"

No, this is allowing icmp inbound from outside to inside.

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎05-16-2007 09:57 AM

This one is most likely defining nat exemption for a vpn.

access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎05-16-2007 10:04 AM

To remove names

Usage: [no] name

0 Helpful

Go to solution
DAVMAC111
Level 1
Level 1
In response to acomiskey

‎05-16-2007 10:49 AM

It looks like I have this all backwards then...

I'm going to have to find documentation on the access-list entries.

As I said in my first post, this is the first time I'm working with a Cisco device and with the CLI on top of it, so I'm not really surprised.

At any rate, thanks for steering me back onto the right track.

0 Helpful

Go to solution
mukeshdang
Level 1
Level 1

‎05-16-2007 12:02 PM

fixup is used for layer 4 inspection of traffic. (for example - if you want to block smtp message larger than 1 Meg, you would use this method).

My recommendation would be to leave the fixups in place unless you are having an issue with that specific protocol. (If you don't use a protocol than you can remove its fixup). I would remove fixup smtp unless there is some good reason for it. We had issues with it.

To remove any fixup, just prefix the entire line with 'no'. For example:

no fixup protocol smtp 25

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card