Re: Time Based Access-list on PIX

lmoushouras · ‎07-06-2004

Hello,

My question is if there is any way to set Time Based Access-list on PIX

Thanks

pcomeaux · ‎07-06-2004

Time based ACLs will be a new feature in version 7.0 which will be released later this year.

thanks

peter

tin.ngo · ‎07-06-2004

Hi Peter,

How about option to disable/enable an ACL instead of removing it. Thanks.

scoclayton · ‎07-07-2004

I assume I am missing the point here as this functionality has been supported as long as ACL's have been around on the PIX using the "access-group" command. You can create as many access-lists as you want on the PIX, you then use the access-group command to apply or remove the access-lists from specific interfaces. Please let us know if this is not what you are asking.

Scott

tin.ngo · ‎07-08-2004

As I said in my post. The questions is to disable and then enable without removing the rule. Checkpoint Firewall have this option and it is handy when you have rule that are being used for short term. It is less intrusive than removing and add it back everytime you need it.

pcomeaux · ‎07-08-2004

Within PDM, you can disable a currently enabled rule by changing it from a PERMIT to a DENY. This is very easy to do and allows you to toggle between the 2 states as often as you would like without having to re-enter the particular rule.

How does this sound to you?

thanks

peter

tin.ngo · ‎07-08-2004

Thanks Peter. Exactly what I am after. Just one thing though: is this option available via command line?

pcomeaux · ‎07-08-2004

Yes.

Here's an example from a Pix I use:

access-list inside_access_in line 7 permit tcp any host pop-server eq pop3 (hitcnt=0)

access-list inside_access_in line 8 permit tcp any host pop-server2 eq pop3 (hitcnt=0)

Notice that each entry has a unique line number.

You can easily overwrite just 1 line at a time by modifying just that line.

If I want to change the second entry via the command line, I can use the following syntax:

access-list inside_access_in line 8 deny tcp any host pop-server2 eq pop3

This effectively turns this rule off or on depending on your perspective.

Being that the lines are numbered, you can always just remove that particular line and move it to line 18 to 58, whatever your needs are. This permits you to move entries around one at a time without having to reapply the entire ACL.

Hope this helps.

thanks

peter

tin.ngo · ‎07-08-2004

Using your example with a small change to it as shown below, will I be able to disable (or deny) just the 'www' service and not the 'https' service since they have the same line number.

access-list inside_access_in line 7 permit tcp any host web-server eq www (hitcnt=0)

access-list inside_access_in line 7 permit tcp any host web-server eq https (hitcnt=0)

pcomeaux · ‎07-08-2004

They will have to be different line entries.

access-list inside_access_in line 7 permit tcp any host web-server eq www

access-list inside_access_in line 8 permit tcp any host web-server eq https

This is the way it should appear on your pix. (or with different line numbers)

So, Yes, you can disable one line at a time by overwriting the PERMIT with a DENY.

Hope this helps,

peter