Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 506 (6.3) configuration query

So just some background, I inherited a PIX 506 with 6.3.  I will admit my background is more towards switching/routing.  But while I know it is dinosaur, I need to maintain for partner interoperability.  I just want to confirm that what I am thinking is correct and inf not how I can correct it.

My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed?? 

The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.

All responses are appreciated.

Here is a snippet of the current config:
object-group network Ext_Net
  network-object 192.168.0.0 255.255.255.255

object-group network Int_Net
  network-object 10.0.0.0 255.255.240.0

object-group network DNS
  network-object 192.168.0.254 255.255.255.255
  network-object 192.168.0.253 255.255.255.255

object-group network Servers
  network-object 192.168.0.25 255.255.255.255
  network-object 192.168.0.62 255.255.255.255
  network-object 192.168.0.87 255.255.255.255
 
object-group network Int_Net_ref
  network-object 192.168.0.0 255.255.255.255
 
object-group service Ports tcp
  port-object range 3995 3995
  port-object range telnet telnet
  port-object range 8010 8010
  port-object range 8080 8080
  port-object eq pop3
  port-object eq imap4
  port-object eq smtp
  port-object eq 433
  port-object eq www
  port-object eq https
  port-object eq ssh
  port-object range https https
  port-object eq 9100
  port-object eq lpd
  port-object eq 584
  port-object eq 585
  port-object range 500 700 

access-list inside_access_in permit tcp object-group Int_Net object-group Ext_Net
access-list inside_access_in permit udp object-group Int_Net object-group DNS
access-list inside_access_in permit tcp object-group Int_Net object-group Servers
access-list outside_access_in permit tcp object-group Ext_Net object-group Int_Net_ref
access-list outside_access_in permit tcp object-group Servers object-group Int_Net_ref
access-list outside_access_in permit tcp object-group DNS object-group Int_Net_ref

pdm location 192.168.0.254 255.255.255.255 outside
pdm location 192.168.0.253 255.255.255.255 outside
pdm location

pdm group Ext_Net 255.255.255.255 outside
pdm group Int_Net 255.255.255.255 inside

nat (inside) 2 Int_Net 255.255.240.0 0 0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

2 REPLIES
New Member

PIX 506 (6.3) configuration query

Yes, if the ACL does not have an 'eq' command, all ports for that protocol will be allowed.  Not the best thing to do. 

The access-group command applies the ACL to the interface in either the in or out direction.  These two commands in your config apply the ACL's to the ingress direction on the PIX:

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

So traffic coming ingress to the outside interface will have the outside_access_in applied to it.

New Member

PIX 506 (6.3) configuration query

Thanks for the confirmation, and yes I am going to go throught he config line by line and verify what is obsolete.

First order of business is to get a bearing on what is in use.

Is pdm location commands safe to remove?

543
Views
0
Helpful
2
Replies
CreatePlease login to create content