Pix 515 - Extreme Newbee!

booger2000 · ‎06-13-2008

Hopefully someone can help me. I am very new to Pix and am having a hard time understanding it. What I need to do is simply punch a hole in our firewall for a computer. I have very limited instructions that tell me I have to do a conf t to configure the terminal and I have to remove all entries then re-enter everything with the new information. How do I do this? And, is it just a certain block (such as the access-list) which I remove and re-enter? I need to add the lines:

access-list 200 permit tcp any host xx.xxx.xxx.228 eq 3389

access-list 200 permit tcp any host xx.xxx.xxx.228 eq www

then I know I need to add something like:

static (inside,outside) xx.xxx.xxx.228 xxx.xx.xx.23 dns netmask 255.255.255.255 0 0

Any help would be greatly appreciated. TIA!!

husycisco · ‎06-13-2008

Hi

Simply select the line you want to remove, copy it, write no then paste the line. no statement at the beggining will remove %95 of issued commands.

Also do not forget to assign the ACL to interface

access-group 200 in interface outside

Regards

booger2000 · ‎06-16-2008

Thank you for your reply. I was told at one point in time you have to remove everything, then add it all back in again anytime you need to change something. Is that the case? And, if so, does everything mean EVERYTHING you see when you do a show config or is it just the block such as the lines beginning with access-list (as an example)? Also, I'm not sure what you mean by assign the ACL to interface. See, I really am newbee. Thanks again. Every little bit of information helps!

rangaswamy.gb · ‎06-17-2008

you need to remove the acl's and paste it again.No need to remove all acl's,it all depends on where you want to insert the acl.

If you remove all acl's for a particular interface,then you need to apply the acl agian to the interface.

booger2000 · ‎06-19-2008

Again, thank you for your response. Sorry to be so thick but I don't want to crash our pix when I do this. Below is a copy of our configuration. In order for me to add the lines:

access-list 200 permit tcp any host xx.xxx.xxx.228 eq 3389

access-list 200 permit tcp any host xx.xxx.xxx.228 eq www

Do I need to remove all entries that begin with 'access-list' or only the ones that begin with 'access-list 200'? Then, of course, reapply them with the new entries added. Then when I add:

static (inside,outside) xx.xxx.xxx.228 xxx.xx.xx.23 dns netmask 255.255.255.255 0 0

do I remove all 'static (inside,outside)' entries and reapply them (with the new entry added)?

Configuration:

names

access-list 101 permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0

access-list NONAT permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0

access-list 102 permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0

access-list 200 permit ip xxx.xx.xx.0 255.255.255.0 any

access-list 200 permit tcp xxx.xxx.x.0 255.255.255.0 host xx.xxx.xxx.xxx

access-list 200 permit tcp xxx.xxx.x.0 255.255.255.0 host xx.xxx.xxx.234

access-list 200 permit tcp xx.xx.xxx.0 255.255.240.0 any eq ssh

access-list 200 permit tcp xxx.xxx.xxx.0 255.255.255.128 any eq ssh

access-list 200 permit tcp host xx.xx.xx.66 host xx.xxx.xxx.234

access-list 200 permit tcp any host xx.xxx.xxx.234 eq www

access-list 200 permit tcp any host xx.xxx.xxx.236 eq www

access-list 200 permit icmp any any

access-list 200 permit tcp xxx.xxx.x.0 255.255.255.0 host xx.xxx.xxx.235

access-list 200 permit tcp xx.xx.xx.0 255.255.240.0 any eq ssh

access-list 200 permit tcp host xx.xx.xx.66 host xx.xxx.xxx.235 eq 5900

access-list 200 permit tcp xxx.xxx.xxx.0 255.255.255.128 host xx.xxx.xxx.235

access-list 200 permit tcp xxx.xxx.xxx.0 255.255.255.128 host xx.xxx.xxx.234

access-list 200 permit tcp host xx.xx.xx.84 host xx.xxx.xxx.235

access-list 200 permit tcp any host xx.xxx.xxx.228 eq 3389

access-list 200 permit tcp any host xx.xxx.xxx.228 eq www

pager lines 20

static (inside,outside) xx.xxx.xxx.234 xxx.xx.xx.22 dns netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.236 xxx.xx.xx.31 dns netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.233 xxx.xx.xx.21 dns netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.235 xxx.xx.xx.20 dns netmask 255.255.255.255 0 0

static (inside,outside) xx.xxx.xxx.228 xxx.xx.xx.23 dns netmask 255.255.255.255 0 0

jbatluck · ‎06-19-2008

<< Do I need to remove all entries that begin with 'access-list' or only the ones that begin with 'access-list 200'? >>

No, you don't need to remove anything. PIX ACLs can be edited on the fly. The new ACL lines will appear at the end of the ACL. Like an extended IOS ACL, there is a way to optionally insert your two lines somewhere above within ACL 200 (not at the bottom). Let us know if you're interested in how to do this.

Good luck!

booger2000 · ‎06-23-2008

Thanks to all of you for your response. Really, it was such an easy task but considering I've never touched our pix before I wanted to make sure I knew exactly what to do. Thanks again!