06-06-2012 11:43 AM - edited 03-11-2019 04:16 PM
So just some background, I inherited a PIX 506 with 6.3. I will admit my background is more towards switching/routing. But while I know it is dinosaur, I need to maintain for partner interoperability. I just want to confirm that what I am thinking is correct and inf not how I can correct it.
My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed??
The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
All responses are appreciated.
Here is a snippet of the current config:
object-group network Ext_Net
network-object 192.168.0.0 255.255.255.255
object-group network Int_Net
network-object 10.0.0.0 255.255.240.0
object-group network DNS
network-object 192.168.0.254 255.255.255.255
network-object 192.168.0.253 255.255.255.255
object-group network Servers
network-object 192.168.0.25 255.255.255.255
network-object 192.168.0.62 255.255.255.255
network-object 192.168.0.87 255.255.255.255
object-group network Int_Net_ref
network-object 192.168.0.0 255.255.255.255
object-group service Ports tcp
port-object range 3995 3995
port-object range telnet telnet
port-object range 8010 8010
port-object range 8080 8080
port-object eq pop3
port-object eq imap4
port-object eq smtp
port-object eq 433
port-object eq www
port-object eq https
port-object eq ssh
port-object range https https
port-object eq 9100
port-object eq lpd
port-object eq 584
port-object eq 585
port-object range 500 700
access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
access-list inside_access_in permit udp object-group Int_Net object-group DNS
access-list inside_access_in permit tcp object-group Int_Net object-group Servers
access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 192.168.0.253 255.255.255.255 outside
pdm location
pdm group Ext_Net 255.255.255.255 outside
pdm group Int_Net 255.255.255.255 inside
nat (inside) 2 Int_Net 255.255.240.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
06-06-2012 01:22 PM
Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed. Not the best thing to do.
The access-group command applies the ACL to the interface in either the in or out direction. These two commands in your config apply the ACL's to the ingress direction on the PIX:
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
So traffic coming ingress to the outside interface will have the outside_access_in applied to it.
06-06-2012 01:56 PM
Thanks for the confirmation, and yes I am going to go throught he config line by line and verify what is obsolete.
First order of business is to get a bearing on what is in use.
Is pdm location commands safe to remove?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide