01-30-2006 01:40 PM - edited 03-09-2019 01:47 PM
Can the PIX 520 function in the capacity of a simple ACL router? I.e., a default-deny policy with granular permit IP extended access lists.
There is some suggestion in the "Cisco Secure PIX Firewalls", Chapman/Fox that traffic can flow between multiple interfaces of the same security level but it is not a CCO-supported configuration.
I have multiple VLANs that I would like to setup very granular ACLs for and I do not want to assume one network has a higher security level than another.
interface ethernet0 100full
interface ethernet0 vlan1 physical
interface ethernet0 vlan10 logical
interface ethernet0 vlan20 logical
interface ethernet0 vlan21 logical
interface ethernet1 auto shutdown
nameif ethernet0 trunk security0
nameif ethernet1 inside security100
nameif vlan20 test0 security50
nameif vlan21 test1 security50
nameif vlan10 dmz security50
access-list 100 permit ip host 192.168.8.2 host 192.168.2.50 log
ip address test0 192.168.8.1 255.255.255.0
ip address test1 192.168.7.1 255.255.255.0
ip address dmz 192.168.2.201 255.255.255.0
access-group 100 in interface test0
---------
If I ping from a host in Vlan2 at 192.168.8.2 to 192.168.2.50 (on dmz/vlan10), I get the following syslog:
106011: Deny inbound (No xlate) icmp src test0:192.168.8.2 dst dmz:192.168.2.50 (type 8, code 0)
Suggesting that an xlate/conduit/static/global command are needed, but NAT should not be a requirement.
~BAS
01-30-2006 02:17 PM
I just read about "Nat 0 Access-List" or NAT Excemption and added:
access-list no-nat permit ip 192.168.8.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (test0) 0 access-list no-nat
---
I have the same results.
~lava
01-30-2006 02:20 PM
You could configure it as an ACL filter, but need to configure NAT exemption to make it work
and you also need to allow communication between same security levels
01-30-2006 03:39 PM
Yes, I saw that, except it's for 7.x only *and* the latest Pix OS that will run on a 520 w/ 16mb of flash is 6.3(5) (iirc).
Just to reitterate: I'm looking to do is enforce a "block all except ACL" policy. In the configuration at hand, there is no concept of a "DMZ", "WAN", "Inside", etc.
I *can* apply "nat (vlan#) 0 acl" with a different respective ACL to each interface using access-group, no problem, but I need the equivilant syntax for 6.x (unless there's some magic to getting 7.x on a Pix 520)
The release notes for 7.0(4) say 16mb flash min requirement, but they don't mentio the 520 at all (unless that's an attempt to marginalize it)
Version 7.0(4):
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080546bbd.html#wp31990
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide