PIX 501 - change fixup, name and access-list entries

Answered Question
May 16th, 2007
User Badges:

As stated in my first post, I am attempting to reconfigure an inherited PIX 501 firewall and working backwards, in other words, changing the previous configuration and eliminating un-needed elements.


FIXUP PROTOCOL


What are these entries for?


Some protocols appear familiar, others less so.


Can I leave them as is?


fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69



NAMES


Most of these pertain to the previous organization and are of no value to me. Can I eliminate these references? If so, how?


clear names?

no name - for individual entries?


I DO notice that they seem to be used as a sort of an alias in the access-list section, replacing the complete IP address.


name x.x.x.17 XX

name x.x.x.18 Pix-Out

name x.x.x.19 GWMail-Out

name 10.10.1.1 Pix-In

name 10.10.1.11 GWMail-In

name 10.10.1.12 NPSPRO

name x.x.x.21 pcaw

name x.x.x.22 Free2



ACCESS LIST - with my questions and commentary


access-list acl-out permit icmp any any


OK - permit outbound icmp traffic - makes sense


access-list acl-out permit tcp any host GWMail-Out eq smtp

access-list acl-out permit tcp any host GWMail-Out eq www

access-list acl-out permit udp any host GWMail-Out eq ntp

access-list acl-out permit tcp any host GWMail-Out eq 7205


THE above entries allow outbound traffic to indicated host - but I want to either eliminate or modify them. For the time being, I only need either all outbound or www outbound - I'll figure out the rest myself later.



access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0


255.255.255.0


THIS has to do with NAT - I will need to reconfigure with my info.



access-list acl-in permit tcp host GWMail-In any eq smtp

access-list acl-in deny tcp any any eq smtp

access-list acl-in permit ip any any


LAST entry worries me... isn't it allowing all inbound?


MOST IMPORTANT - I want to make sure I do not lock myself out by blocking telnet access from the LAN.


Thank you in advance - response to my first post was excellent.


David


Correct Answer by acomiskey about 9 years 11 months ago

To remove names


Usage: [no] name


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
acomiskey Wed, 05/16/2007 - 09:56
User Badges:
  • Green, 3000 points or more

You cannot say which direction your acl is without looking at the corresponding access-group statement.


Most likely acl-in is outbound traffic, or into inside interface (access-group acl-in in interface inside). This acl is allowing only your mail server to send outbound smtp traffic.


acl-out is most likely inbound traffic, or into outside interface (access-group acl-out in interface outside). This is allowing traffic from outside to your mail server.


access-list acl-out permit icmp any any


"OK - permit outbound icmp traffic - makes sense"


No, this is allowing icmp inbound from outside to inside.

acomiskey Wed, 05/16/2007 - 09:57
User Badges:
  • Green, 3000 points or more

This one is most likely defining nat exemption for a vpn.


access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0


Correct Answer
acomiskey Wed, 05/16/2007 - 10:04
User Badges:
  • Green, 3000 points or more

To remove names


Usage: [no] name


DAVMAC111 Wed, 05/16/2007 - 10:49
User Badges:

It looks like I have this all backwards then...


I'm going to have to find documentation on the access-list entries.


As I said in my first post, this is the first time I'm working with a Cisco device and with the CLI on top of it, so I'm not really surprised.


At any rate, thanks for steering me back onto the right track.

mukeshdang Wed, 05/16/2007 - 12:02
User Badges:

fixup is used for layer 4 inspection of traffic. (for example - if you want to block smtp message larger than 1 Meg, you would use this method).


My recommendation would be to leave the fixups in place unless you are having an issue with that specific protocol. (If you don't use a protocol than you can remove its fixup). I would remove fixup smtp unless there is some good reason for it. We had issues with it.


To remove any fixup, just prefix the entire line with 'no'. For example:

no fixup protocol smtp 25

Actions

This Discussion