PIX 501 - change fixup, name and access-list entries
As stated in my first post, I am attempting to reconfigure an inherited PIX 501 firewall and working backwards, in other words, changing the previous configuration and eliminating un-needed elements.
What are these entries for?
Some protocols appear familiar, others less so.
Can I leave them as is?
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
Most of these pertain to the previous organization and are of no value to me. Can I eliminate these references? If so, how?
no name - for individual entries?
I DO notice that they seem to be used as a sort of an alias in the access-list section, replacing the complete IP address.
name x.x.x.17 XX
name x.x.x.18 Pix-Out
name x.x.x.19 GWMail-Out
name 10.10.1.1 Pix-In
name 10.10.1.11 GWMail-In
name 10.10.1.12 NPSPRO
name x.x.x.21 pcaw
name x.x.x.22 Free2
ACCESS LIST - with my questions and commentary
access-list acl-out permit icmp any any
OK - permit outbound icmp traffic - makes sense
access-list acl-out permit tcp any host GWMail-Out eq smtp
access-list acl-out permit tcp any host GWMail-Out eq www
access-list acl-out permit udp any host GWMail-Out eq ntp
access-list acl-out permit tcp any host GWMail-Out eq 7205
THE above entries allow outbound traffic to indicated host - but I want to either eliminate or modify them. For the time being, I only need either all outbound or www outbound - I'll figure out the rest myself later.
access-list nonat permit ip 10.10.x.x 255.255.255.0 10.20.1.0
THIS has to do with NAT - I will need to reconfigure with my info.
access-list acl-in permit tcp host GWMail-In any eq smtp
access-list acl-in deny tcp any any eq smtp
access-list acl-in permit ip any any
LAST entry worries me... isn't it allowing all inbound?
MOST IMPORTANT - I want to make sure I do not lock myself out by blocking telnet access from the LAN.
Thank you in advance - response to my first post was excellent.
Re: PIX 501 - change fixup, name and access-list entries
fixup is used for layer 4 inspection of traffic. (for example - if you want to block smtp message larger than 1 Meg, you would use this method).
My recommendation would be to leave the fixups in place unless you are having an issue with that specific protocol. (If you don't use a protocol than you can remove its fixup). I would remove fixup smtp unless there is some good reason for it. We had issues with it.
To remove any fixup, just prefix the entire line with 'no'. For example:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...