As stated in my first post, I am attempting to reconfigure an inherited PIX 501 firewall and working backwards, in other words, changing the previous configuration and eliminating un-needed elements.
What are these entries for?
Some protocols appear familiar, others less so.
Can I leave them as is?
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
Most of these pertain to the previous organization and are of no value to me. Can I eliminate these references? If so, how?
no name - for individual entries?
I DO notice that they seem to be used as a sort of an alias in the access-list section, replacing the complete IP address.
name x.x.x.17 XX
name x.x.x.18 Pix-Out
name x.x.x.19 GWMail-Out
name 10.10.1.1 Pix-In
name 10.10.1.11 GWMail-In
name 10.10.1.12 NPSPRO
name x.x.x.21 pcaw
name x.x.x.22 Free2
ACCESS LIST - with my questions and commentary
access-list acl-out permit icmp any any
OK - permit outbound icmp traffic - makes sense
access-list acl-out permit tcp any host GWMail-Out eq smtp
access-list acl-out permit tcp any host GWMail-Out eq www
access-list acl-out permit udp any host GWMail-Out eq ntp
access-list acl-out permit tcp any host GWMail-Out eq 7205
THE above entries allow outbound traffic to indicated host - but I want to either eliminate or modify them. For the time being, I only need either all outbound or www outbound - I'll figure out the rest myself later.
access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0
THIS has to do with NAT - I will need to reconfigure with my info.
access-list acl-in permit tcp host GWMail-In any eq smtp
access-list acl-in deny tcp any any eq smtp
access-list acl-in permit ip any any
LAST entry worries me... isn't it allowing all inbound?
MOST IMPORTANT - I want to make sure I do not lock myself out by blocking telnet access from the LAN.
Thank you in advance - response to my first post was excellent.