Re: Converted from conduits (finally) few questions

0rsnaric · ‎02-05-2004

I have a pix 515 running 6.2.1. In preparation to upgrade to 6.3.3 I finally converted to acls from conduits. Using the output interpreter I went ahead and tftp'd the new config up and tested it, seems to work fine. However, I'm unlcear of some things.

First, what is this section -

object-group network og_ip_nat_dmz

network-object host 10.0.0.11

network-object host 10.0.0.13

network-object host 10.0.0.14

network-object host 10.0.0.12

network-object 10.0.0.100 255.255.255.252

network-object 10.0.0.104 255.255.255.248

network-object 10.0.0.112 255.255.255.240

network-object 10.0.0.128 255.255.255.240

network-object 10.0.0.144 255.255.255.252

network-object 10.0.0.148 255.255.255.254

network-object host 10.0.0.150

There are three interfaces on the pix, and one is the dmz, with address 10.0.0.1 255.255.255.0. Have no idea why this object group was created, or what it is. However, it does work as far as the associated acls go. Which is my next question, what are these -

* access-list dmz_acl permit ah any object-group og_ip_nat_dmz

* access-list dmz_acl deny ip any object-group og_ip_nat_dmz

None of the original conduits were related to ah, and I'm not sure of the need for the deny. Isn't there an implied deny all at the end of the access-list?

Hmmm, well, there was an ah any any conduit, so maybe that explains it. But what about the whole object-group? Why are there network objects? And I don't have a 10.0.0.150 host, that is the last address in the global pool for the dmz nat statement.

Finally, why are there dynamic pdm location statements showing up in my running config? Way back when I thought the pdm statement was related to which clients had permission to use pix device manager. Now it appears there is no need for a statement pointing to trusted clients.

Thanks for any insight into these questions.

Rick

scoclayton · ‎02-06-2004

Rick,

I'll give these a go but I'm pretty sure I am going to miss on answering one or two so let me know what does not get answered.

1) Object-groups:

A - These are simply a way of simplifying a config a little. Rather than specifying the same group of addresses in each ACL you create, we created a way for you to group several hosts, protocols, or services into one name. That way, when you create the ACL's on your PIX, you just enter one line to activate the permissions for the entire subset of hosts specified in the object-group. That explanation probably stunk so let me shoot you a link as well - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1038172

2. What are these:

* access-list dmz_acl permit ah any object-group og_ip_nat_dmz

* access-list dmz_acl deny ip any object-group og_ip_nat_dmz

A - These are the new ACL's that were created. Notice we are refrencing the aforementioned object-group. Essentially what the PIX is going is inserting each of the "network-objects" listed in the object-group called "og_ip_nat_dmz" into the ACL. The nice thing is that this only requires you to type one ACL as opposed to 11 or 12 (however many network-objects you have listed in the object-group). For instance, the first ACL refers to this:

access-list dmz_acl permit ah any host 10.0.0.11

access-list dmz_acl permit ah any host 10.0.0.13

access-list dmz_acl permit ah any host 10.0.0.14

.....

access-list dmz_acl permit ah any 10.0.0.148 255.255.255.254

access-list dmz_acl permit ah any host 10.0.0.150

3. Deny ACL?

A - The deny is implied but some people like to add one in there so they know it exists. Output Interpretor opts to give you more than you may need.

4. PDM Locations?

A - These entries in the config have nothing to do with who can HTTP to the PIX. PDM is an object-oriented management platform. It creates these location entries automatically for internal use only. They can be ignored in your config. If you remove them, they will come back next time you launch PDM.

Hope this helps.

Scott

0rsnaric · ‎02-06-2004

Thanks Scott! That's a pretty good explanation.

Rick