Modifying Access Lists

aafkhami · ‎02-10-2003

Hello,

I usually use a text file to modify my access lists. I copy the current list to a text file, put a "no" in front of all the lines and then add my new access list to the file. Then all I need is to copy and paste the whole file to the "config t" prompt.

In a couple of times I have noticed that after changing my access lists, the corresponding access-group statement disappears and I have to add it again. I know that in routers it's recommended to negate the access-group command from interface before applying new acl and then re-apply it to the interface. I was wondering if it's also the same in PIX.

My other question is, although my access-group to inside interface is not showing up in the configuration, inside machines can access the other segments on the firewall. I thought if you don't have an acl applied to an interface, there will be no traffic going through that interface. Maybe I am confused and missing a point ...

Any help is appreciated.

Thanks,

Ali

wolfrikk · ‎02-10-2003

In the PIX, a higher level interface (Inside is 100, Outside is 0) can access resources out of a lower level interface, but host on the lower level side cannot access resources in the higer level interface with out a ACL allowing the access.

What I do when creating a new access-list is create an ACL with a different number and paste the new access-list into the config t prompt, then change the access-group statement. That way the old access-list is still there in case you need to switch back to it. When you determine you no longer need the access-list you can remove it.

shannong · ‎02-10-2003

As long as NAT is configured properly, the Pix will allow traffic from a high security interface to access a lower security interface unless it is denied explicity. Therefore, no ACL on your higher security interface implicitly says "allow all" to lower security interfaces.

Concerning the use of your "script" for ACL modification, when you remove the last line of an ACL, the pix automatically removes the corresponding access-group command. I use the same basic approach except instead of "no" in front of every line, I start with "cle access-list aclname". This erases the entire ACL. Make sure you specify an ACL name to erase or you'll erase all ACLs. At the end of my "script" I have an line that adds my access-group command back. I find this easier than constantly adding a "no" in front of every line I need to get rid of. Erasing, pasting the new ACL and applying takes only a second so the interuption of traffic is very minor.

Of course, the PDM does have one great use. It allows you to edit, add, or delete lines in your ACLs so that you don't need to use the methods as discussed above. Have you looked at this method instead?

Removing the access-group command from a router is good idea so that don't lock yourself out in the middle of pasting in a new ACL. The pix does not suffer from this behavior as access-lists on the firewall don't affect traffic destined to the management inteface of the pix itself. Security to the pix itself is accomplished with the "icmp", "telnet", "ssh", and "http" commands.

aafkhami · ‎02-11-2003

Thanks a lot to both of you for your help. I will refer to your recommendations in the future.

One question regarding PDM. I have setup PDM but have not used it to modify access lists as I thought it would eventually translate the changes to what I do manually, I mean the impact on connections and traffic will be the same. When you recommend using PDM for modifying ACL's do you refer to GUI interface and ease of use or do you refer to accuracy, efficiency and minimal chance of mistakes like forgetting re-entering access-group command?