×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

established connections on PIX

Unanswered Question
Mar 8th, 2002
User Badges:

Dear readers,


I like to know how one can configure a PIX which only allows established connections on for example http.


I know and have already configured access-list on a Cisco IOS router using the established parameter, for example


access-list 110 permit tcp any host v.w.x.y gt 1023 established


How can I create such an access-list on a PIX, or is this impossible.


Thanks in advance.


Aad Boelhouwers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael_tong Sat, 03/09/2002 - 04:40
User Badges:

Since PIX support stateful inspection, you don't need to config such access-list. For example: you have one PIX with two interfaces -- inside(security level=100) and outside (security level=0). If a init IP packet send to the inside interface from your internal network, PIX will check the destination. Here, we assume that its destination is somewhere on Internet. Then, according to the routing table, PIX will send it out at its outside interface. And record down the packet information such as IP addresses (source and destination), port numbers (source and destination), sequence numbers... Then, a stateful table will be generated. When the reply packet come back from Internet, PIX will check its stateful table. If the reply packet information is match, PIX will let this reply packet send out at the inside interface.


PIX will not restrict the packet flow from high security level interface to low security level interface unless there is a access-list applied on that high security level interface.


I think what you need to concern is -- well define the security level of each interface. (By default, inside is 100 and outside is 0) Then, you have to think that what service should be allowed access from low security level interface to high security level interface. Just use the access-list allow it and apply on the low security level interface. The stateful information also will be added to the stateful table whenever the packet come.


Of course this is a BASIC configuration. If you want to know more advance, such as fixup protocol, mailguard,... you have to find them out on the technical document.

aboelhouwers Mon, 03/11/2002 - 02:29
User Badges:

Thanks a lot Michael, this answer is what I was looking for.


Aad Boelhouwers

Actions

This Discussion