02-25-2003 12:38 PM - edited 02-20-2020 10:35 PM
I am new to PIX and am not able to understand teh following 3 sections taken out of the PIX i have to administer. Please explain.
PART 1
object-group service webopac_services tcp
description TCP Ports for WebOPAC library system
port-object range 4440 4447
port-object eq 2000
port-object eq 4999
port-object eq 4600
port-object eq 1030
port-object eq 8080
port-object eq www
PART 2
object-group network innovative
network-object innovative1 255.255.255.0
network-object innovative3 255.255.255.0
network-object innovative4 255.255.255.0
network-object innovative5 255.255.255.0
network-object innovative6 255.255.255.0
network-object innovative2 255.255.255.0
network-object 209.11.72.128 255.255.255.224
PART 3
access-list acl_in deny tcp any x10 255.255.255.0
Solved! Go to Solution.
02-25-2003 07:27 PM
You probably have the following higher up in your config:
names
name 10.0.0.0 x10
or something similar anyway. In the PIX configuration you can use names to represent hosts and networks, so wherever you see "x10" in your configuration you can substitute whatever actual network that represents in the "name" command.
02-25-2003 02:54 PM
1 and 2 are what's called object-groups, new in v6.2 code. These are used to group ports, networks or host address into one name, that can then be used in an access-list. For example, before 6.2, to reference all those TCP ports in Part 1 in an access-list you'd have to have something like:
> access-list 100 permit tcp host x.x.x.x host y.y.y.y range 4440 4447
> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 2000
> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 4999
> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 4600
> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 1030
> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 8080
> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq www
If you wanted to open up those ports for a bunch of hosts or networks, you're access-list could get very large very quickly. Now with object-groups, you can do the following (check your config cause you probably have something like this):
> access-list 100 permit tcp host x.x.x.x object-group innovative object-group webopac_services
The "innovative" object group specifies a group of networks, and the "webopac_services" specifies the ports that they can come in on. You can see that without object-groups, you would need around 64 lines in your access-list just to allow this same access. You can see http://www.cisco.com/warp/public/707/pix_obj_grp.html for more information on these.
3 is simply an access-list called acl_in that'll be applied to one of your interfaces with a corresponding "access-group" command further down in your configuration.
02-25-2003 03:39 PM
I am able ot understand part 1 and 2 now , but in part 3 what does "x10" mean.
access-list acl_in deny tcp any x10 255.255.255.0
Please complete/correct the following statement:
Access list acl_in denies tcp traffic from any source destined to _________
02-25-2003 07:27 PM
You probably have the following higher up in your config:
names
name 10.0.0.0 x10
or something similar anyway. In the PIX configuration you can use names to represent hosts and networks, so wherever you see "x10" in your configuration you can substitute whatever actual network that represents in the "name" command.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: