07-14-2005 11:55 AM - edited 03-09-2019 11:50 AM
Hello all,
Im not having any problems with the Pix 515E I implemented a couple of weeks ago, but I do have a few questions regarding best practices. I have found that there are several different ways something can be configured to achieve the same result. Id like to know which is better?
Pix 515E three interfaces
Inside
Outside
DMZ
Nat is disabled between the Inside and DMZ. Our company policy only allows select individuals (machines) to have Internet access to the outside world, so I created an ACL (PermittedNatUsers) that permits those selected IP addresses and used it with
NAT (Inside) 1 Access-List PermittedNatUsers
Another ACL (InsideOutAccess) applied to the inside interface permits all WWW traffic, so all internal users can access our webserver in the DMZ.
My other option would have been
NAT (Inside) 1 0 0
Then I could have the InsideOutAccess ACL permit WWW traffic to the DMZ for all, but then only allow the certain machines out to the Internet.
Which of these two would be the best practice?
Next question
Using the Cisco VPN client to establish an IPSec tunnel with the Pix. At the moment we are using VPNGroups to define logons and they all share the same IPPool. I want to restrict network access based off of logon. It appears that with each VPNGroup I can define a split-tunnel. If I want a VPN client to have access to a single server, can I just do the following
Access-list RestrictedGroup permit IP host 192.168.8.8 192.168.7.0 255.255.255.0
VPNGroup RestrictedUser split-tunnel RestricedGroup
Is this the suggested method?
Final Question
What is the preferred method of changing access lists, or any other change for that matter. Applying my Cisco router knowledge, if I understand ACLs correctly, I cannot delete a single line but I have to delete the entire ACL and reapply it. Ive noticed when I do this any command that references the ACL disappears too. In my first question, when I delete the PermittedNatUsers ACL and recreated it, I have to reapply the NAT (inside) 1 access-list PermittedNatUsers
I have the same issue with Object-groups, I cannot delete and recreate an Object-group if its in use by an ACL. Most of my ACLs reference the same object-groups so if I need to drop a single host from the object-group I have to drop all ACLs first, then drop the object-group and recreate it, then reapply all my ACLs. Of course all network access stops, database connections drop, etc, etc when I do this.
Thanks for helping a new guy..
07-20-2005 09:26 AM
Ans1:
both the methods gives you similiar results, the difference is that if you dont have any ACL, if you apply some NAT/Global later on, those IPs will be passed through. I believe that the ACL is checekd first before NAT. Hence if you have an ACL applied, the packets will be dropped right away before entering the PIX NAT engine.
Answer3:
In PIX, you can delete a single entry from the ACL. if you delete the ACL that is tied to a NAT, the NAT will also disappear.
So dont delete the ACL completely but remove the line that you want to.
The same applies to object-groups
thanks
Nadeem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide