Skip to main content

PIX Access Lists Best Practices?

More
16 years 7 months ago #25748 by hanzo
PIX Access Lists Best Practices? was created by hanzo
Are their any best practices for setting up access-lists? Below are my access-lists from the config I use on a home adsl connection.

[code:1]pix# sh access-list
access-list cached ACL log flows: total 0, denied -1 (deny-flow-max 256)
alert-interval 300
access-list outside_access_in; 8 elements
access-list outside_access_in line 1 remark Allows ping replies messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 2 permit icmp any any echo-reply log 6 interval 300 (hitcnt=7)
access-list outside_access_in line 3 remark Allows ping 'unreachable' messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 4 permit icmp any any unreachable log 6 interval 300 (hitcnt=0)
access-list outside_access_in line 5 remark Allows ping time-exceeded messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 6 permit icmp any any time-exceeded log 6 interval 300 (hitcnt=0)
access-list outside_access_in line 7 remark Bit Torrent
access-list outside_access_in line 8 permit tcp any interface outside eq 21234 (hitcnt=0)
access-list outside_access_in line 9 remark Bit Torrent
access-list outside_access_in line 10 permit udp any interface outside eq 21234 (hitcnt=0)
access-list outside_access_in line 11 remark Allow ssh
access-list outside_access_in line 12 permit tcp host aaa.bbb.ccc.ddd interface outside eq ssh log 6 interval 300 (hitcnt=2)
access-list outside_access_in line 13 remark Drop any remaining packets
access-list outside_access_in line 14 deny ip any any log 6 interval 300 (hitcnt=7) [/code:1]

How do you approach setting up your access-lists?
More
16 years 7 months ago #25782 by Chris
Replied by Chris on topic Re: PIX Access Lists Best Practices?
hanzo,

I usually place remarks as you have to help make things easy to read after a while when you need to revisit the ACL section of the configuration :)

For me, the most critical ACL's go at the top, while the lesser critical are left for the end. When adding new ACL's, I never append them to the existing configuration as they would go right at the bottom, so I usually add them using the appropriate 'line' parameter to ensure ACLs referring to similar services are always kept together.

Hope that helps.

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.113 seconds