Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
0
Helpful
1
Replies

Best Practices Questions

dennylester
Level 1
Level 1

‎07-14-2005 11:55 AM - edited ‎03-09-2019 11:50 AM

Hello all,

I’m not having any problems with the Pix 515E I implemented a couple of weeks ago, but I do have a few questions regarding best practices. I have found that there are several different ways something can be configured to achieve the same result. I’d like to know which is better?

Pix 515E three interfaces

Inside

Outside

DMZ

Nat is disabled between the Inside and DMZ. Our company policy only allows select individuals (machines) to have Internet access to the outside world, so I created an ACL (PermittedNatUsers) that permits those selected IP addresses and used it with

NAT (Inside) 1 Access-List PermittedNatUsers

Another ACL (InsideOutAccess) applied to the inside interface permits all WWW traffic, so all internal users can access our webserver in the DMZ.

My other option would have been

NAT (Inside) 1 0 0

Then I could have the InsideOutAccess ACL permit WWW traffic to the DMZ for all, but then only allow the certain machines out to the Internet.

Which of these two would be the best practice?

Next question

Using the Cisco VPN client to establish an IPSec tunnel with the Pix. At the moment we are using VPNGroups to define logons and they all share the same IPPool. I want to restrict network access based off of logon. It appears that with each VPNGroup I can define a split-tunnel. If I want a VPN client to have access to a single server, can I just do the following

Access-list RestrictedGroup permit IP host 192.168.8.8 192.168.7.0 255.255.255.0

VPNGroup RestrictedUser split-tunnel RestricedGroup

Is this the suggested method?

Final Question

What is the preferred method of changing access lists, or any other change for that matter. Applying my Cisco router knowledge, if I understand ACL’s correctly, I cannot delete a single line but I have to delete the entire ACL and reapply it. I’ve noticed when I do this any command that references the ACL disappears too. In my first question, when I delete the PermittedNatUsers ACL and recreated it, I have to reapply the NAT (inside) 1 access-list PermittedNatUsers

I have the same issue with Object-groups, I cannot delete and recreate an Object-group if it’s in use by an ACL. Most of my ACL’s reference the same object-groups so if I need to drop a single host from the object-group I have to drop all ACL’s first, then drop the object-group and recreate it, then reapply all my ACL’s. Of course all network access stops, database connections drop, etc, etc when I do this.

Thanks for helping a new guy..

Labels:
0 Helpful
1 Reply 1

nkhawaja
Cisco Employee
Cisco Employee

‎07-20-2005 09:26 AM

Ans1:

both the methods gives you similiar results, the difference is that if you dont have any ACL, if you apply some NAT/Global later on, those IPs will be passed through. I believe that the ACL is checekd first before NAT. Hence if you have an ACL applied, the packets will be dropped right away before entering the PIX NAT engine.

Answer3:

In PIX, you can delete a single entry from the ACL. if you delete the ACL that is tied to a NAT, the NAT will also disappear.

So dont delete the ACL completely but remove the line that you want to.

The same applies to object-groups

thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents