Firewall

Unanswered Question
Mar 15th, 2007

Hi All ,

I am very new to Firewall. I have Cisco PIX 515E , I want to know regarding configuration of 515E & also want to know what happens with command fixup protocol , failover ip address outside,failover ip address state & how to use access list in Firewall.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 03/15/2007 - 05:30

Hi

Big subject :-)

1) fixup protocol. Generally the pix looks at layer 3 (IP addresses) and layer 4 (port numbers). However for some applications it can look at the layer 7 information ie. it understands certain commands etc, used by the application. The applications it can do this for are defined by the fixup protocol lines.

2) failover - this is used when you have two firewalls in a pair. One is generally active and the other is in failover mode and will assume the active role if the primary firewall fails. Note that with v7.0 of the pix software you can run both in active mode if you want on a per context basis.

3) access-lists are used to control the traffic allowed through the firewall, either from inside to outside or outside to inside, or outside to DMZ etc...

By default traffic is allowed to flow from a higher security interface to a lower security interface without an access-list eg inside to outside.

Attached is a link to the pix firewall configuration docs.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_installation_and_configuration_guides_list.html

HTH

Jon

nileshKahale Thu, 03/15/2007 - 06:15

Thanks for quick reply.

However i want to know the meaning of following commands

fixup protocol dns maximum-length 512

fixup protocol ftp 21

access-list acl_in permit udp host 10.25.25.16 host 203.45.18.1 eq domain

failover ip address state x.x.x.x

acomiskey Thu, 03/15/2007 - 06:21

access-list acl_in permit udp host 10.25.25.16 host 203.45.18.1 eq domain

This is allowing udp 53 (dns) traffic from 10.25.25.16 to 203.45.18.1, as long as acl_in is applied to an interface with something like "access-group acl_in in interface outside".

Actions

This Discussion