Solved: Re: Part of PIX 6.2 config'n. Can someone pl explain?

vikrantarora · ‎02-25-2003

I am new to PIX and am not able to understand teh following 3 sections taken out of the PIX i have to administer. Please explain.

PART 1

object-group service webopac_services tcp

description TCP Ports for WebOPAC library system

port-object range 4440 4447

port-object eq 2000

port-object eq 4999

port-object eq 4600

port-object eq 1030

port-object eq 8080

port-object eq www

PART 2

object-group network innovative

network-object innovative1 255.255.255.0

network-object innovative3 255.255.255.0

network-object innovative4 255.255.255.0

network-object innovative5 255.255.255.0

network-object innovative6 255.255.255.0

network-object innovative2 255.255.255.0

network-object 209.11.72.128 255.255.255.224

PART 3

access-list acl_in deny tcp any x10 255.255.255.0

gfullage · ‎02-25-2003

You probably have the following higher up in your config:

names

name 10.0.0.0 x10

or something similar anyway. In the PIX configuration you can use names to represent hosts and networks, so wherever you see "x10" in your configuration you can substitute whatever actual network that represents in the "name" command.

View solution in original post

gfullage · ‎02-25-2003

1 and 2 are what's called object-groups, new in v6.2 code. These are used to group ports, networks or host address into one name, that can then be used in an access-list. For example, before 6.2, to reference all those TCP ports in Part 1 in an access-list you'd have to have something like:

> access-list 100 permit tcp host x.x.x.x host y.y.y.y range 4440 4447

> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 2000

> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 4999

> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 4600

> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 1030

> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 8080

> access-list 100 permit tcp host x.x.x.x host y.y.y.y eq www

If you wanted to open up those ports for a bunch of hosts or networks, you're access-list could get very large very quickly. Now with object-groups, you can do the following (check your config cause you probably have something like this):

> access-list 100 permit tcp host x.x.x.x object-group innovative object-group webopac_services

The "innovative" object group specifies a group of networks, and the "webopac_services" specifies the ports that they can come in on. You can see that without object-groups, you would need around 64 lines in your access-list just to allow this same access. You can see http://www.cisco.com/warp/public/707/pix_obj_grp.html for more information on these.

3 is simply an access-list called acl_in that'll be applied to one of your interfaces with a corresponding "access-group" command further down in your configuration.

vikrantarora · ‎02-25-2003

I am able ot understand part 1 and 2 now , but in part 3 what does "x10" mean.

access-list acl_in deny tcp any x10 255.255.255.0

Please complete/correct the following statement:

Access list acl_in denies tcp traffic from any source destined to _________

gfullage · ‎02-25-2003

You probably have the following higher up in your config:

names

name 10.0.0.0 x10

or something similar anyway. In the PIX configuration you can use names to represent hosts and networks, so wherever you see "x10" in your configuration you can substitute whatever actual network that represents in the "name" command.