Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restrictions with Access Control

Hi,

I wonder if the following features are supported by PIX:

1- Filtering incoming or outgoing traffic based on the Source port and not only the dest port (e.g. filter incoming traffic having source ports outside the range 1-65535).

2- In some firewalls like ISA, you can control sent and received traffic for a certain host (e.g. you can allow certain udp traffic coming to a certain host to pass the FW while blocking traffic from being sent back from this host on that particulars port), in PIX however I think if you opened let's say udp 53 for your DNS server then this DNS server will be answering all queries to the requesting hosts and you wont be able to control traffic going back on udp 53 (Send/Receive concept).

3- Can PIX control traffic based on L7 commands, (e.g. Allow FTP Get but block FTP put)? I think this is a feature that NetScreen can do, is it available in PIX?

Appreciate your feedback.

3 REPLIES
Gold

Re: Restrictions with Access Control

1. access-list 100 deny tcp host 192.168.1.100 eq 25 host 192.168.2.100

with this acl above, pix will drop the packet originated from 192.168.1.100 with source port 25, which is destined for 192.168.2.100

2. acl can be applied on both interfaces.

e.g. access-list inbound permit udp any host 192.168.1.100 eq 53

access-list outbound permit udp host 192.168.1.100 eq 53 host 192.168.2.100

access-group inbound in interface outside

access-group outbound in interface inside

with the sample above, any host can make a dns request to 192.168.1.100. however, pix will only permit dns response destined for 192.168.2.100, and drop the rest.

3. i believe v7 does have this capability.

New Member

Re: Restrictions with Access Control

Thanks jackko for your response... but regarding the 2nd point; I read in the PIX Ver7 Config Guide (page 207) that with UDP and TCP protocols you dont need an access list to allow returning traffic because the PIX will allow returning traffic for established connections. In the example above, the dns server will respond to any dns queries from "any", my question here will the PIX ,before responding, the check the access-list rules applied to the inside interface to see to whom it's allowed to respond, or will it allow returning traffic without checking access-list asthis is a default behaviour? Pleae advise!

Gold

Re: Restrictions with Access Control

yes, pix is intelligent enough to identify and permit the return traffic. further, the return traffic will be permitted regardless whether there is an acl applied.

e.g.

access-list inbound permit udp any host 192.168.1.100 eq 53

access-list outbound permit udp host 192.168.1.100 eq 53 host 192.168.2.100

access-group inbound in interface outside

access-group outbound in interface inside

any host send a dns request to 192.168.1.100 will get a response according to the inbound acl. pix will identify and permit the return traffic without going through the outbound acl.

outbound acl is only effective for traffic originated from 192.168.1.100.

92
Views
0
Helpful
3
Replies
CreatePlease login to create content