Access List

Unanswered Question
Apr 22nd, 2007

How access lists differ between the PIX OS and the IOS? And why we need to apply access list both on router and pix ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
zulqurnain Sun, 04/22/2007 - 21:20

hello,

If you are referring to the configuration commands between a PIX and a router, there are quite a few differences and similarities Netmasks are entered differently, the help in the PIX is not as good as in IOS. you need to do a WR MEM to save the config, WR NET :filename to save to a tftp server. The list goes on... ENABLE and config t are the same between both.

First, the differences between a PIX and an IOS-based firewall. From a functionality perspective, you can do most of the same things on an IOS firewall that you can on the PIX. Now, with that in mind, it doesn't mean there's no point to a PIX!

A PIX is designed to be a firewall and only a firewall. An IOS router is primarily a router, and MAY be a firewall too. With that in mind, think of your job vs. the job your boss has as well as the jobs anybody you supervise has. From a technical standpoint, YOU could do the jobs of all of those people, however, they have duties that are not typically your own. So would you like to do all of their jobs? At once? Probably not. While your router wouldn't complain about the additional tasks, it may start becoming less efficient.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_qanda_item09186a008010a40e.shtml

A PIX is a firewall -- a good firewall. There are many security features that it does which an IOS firewall doesn't, The best answer is that you should design your network with devices that do their jobs most efficiently, not just with "whatever will do."

Whereas access lists in the PIX operate and are configured much the same as they are in routers using the IOS, using the commands access-list and access-group. One of the differences is that in the PIX, access lists can only be applied as inbound to an interface. The no command precedes any statement or list you want to remove.

Turbo ACLs improve the search time required for large access lists. It's only applied to ACLs of 19 entries or more. The command to enable is access-list compiled.

Object grouping is a fairly new feature supported by the PIX. It allows for simplified design, administration and troubleshooting of access lists. You want to be familiar with them for this exam. An ACL can apply to the following types of objects: client, server, subnet, service and ICMP. You can apply object groups to the following: network, protocol, service and ICMP. The primary command object-group is used to create object group types. For example:

object-group network CLIENTS

network-object host 10.0.1.11

network-object host 10.0.2.11

network-object 10.0.0.0 255.255.255.0

This will create a network object group names "CLIENTS," containing two hosts and a network. It can then be used in an access list as a single statement: access-list 101 permit tcp any object-group CLIENTS.

HTH

Actions

This Discussion