Skip to main content

PIX and Router Security Questions

More
17 years 6 months ago #21607 by semper
The PIX (Pre 7.0 series code anyways) only supports access-lists on inbound traffic to an interface. However, if you want to filter what internal hosts can access on the outside then all you do is place an access-list on the inside interface and that serves the same purpose of using ingress/egress filtering.

For example: If I only wanted my internal hosts to be able to access websites on the Internet I would use the following access-lists.

access-list inside-outbound permit udp any any eq 53
access-list inside-outbound permit tcp any any eq www
access-list inside-outbound permit tcp any any eq https
access-group inside-outbound in interface inside

That access-list would allow DNS inquiries to external DNS servers (you wouldn't need to allow internal clients external dns access if you have a internal dns server though), allow http (port 80), https (port 443) traffic to the internet, and deny everything else from the internal network outbound.

Now if you had a DMZ interface, VPN tunnel(s) or had a large network and you needed certain hosts to have more/less access to external resources then that access-list would obviously get more complicated.
More
17 years 6 months ago #21862 by ccnx
:D

Thanks you guys for all the reply. The actual checking sequence as i found out from the cisco website is that
www.cisco.com/en/US/tech/tk648/tk361/tec...186a0080133ddd.shtml

Also, ACL on PIX is uni-directional.
More
17 years 6 months ago #21877 by Smurf
[code:1]Also, ACL on PIX is uni-directional.[/code:1]

Thought it was, its similar to a router and can assign a single access-list in and also a single access-list out, at the same time.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 5 months ago #21899 by semper

[code:1]Also, ACL on PIX is uni-directional.[/code:1]

Thought it was, its similar to a router and can assign a single access-list in and also a single access-list out, at the same time.


Atleast on the pre 7.0 code you can not specify an outbound access-list on an interface, only inbound. However, you can filter outbound traffic by placing ingress access-lists on your inside interface.

For Example: If you want to only allow your internal network to only have http access you could do:

access-list inside_out permit tcp any any eq 80
access-group inside_out in interface inside


You can't specify something like "access-group inside_out out" like you can on a router. The PIX won't let you. Basically each interface can only have a single access-list attached to it and can only filter ingress.

If you want to play around with it I'll setup a test network at my house and give you remote telent access to a console port on a pix. :D
More
17 years 5 months ago #21914 by Smurf
On version 7 of the code, you can apply an access-list to an interface for both in & out. I always thought that you could also do this in version 6 of the Pix Code. I will do some digging on that.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.128 seconds