PIX ACL Discussion

Discussion in 'Cisco' started by falken7, Jan 24, 2005.

  1. falken7

    falken7 Guest

    Hello,

    I have a question regarding PIX ACL designs. I want to build my access
    lists as tight as possible allowing exactly what I permit. I
    understand the PIX can manage many protocols (IP, GRE, ESP, etc). My
    question concerns the deny statements at the end of the ACL. Should I
    place deny statements for each protocol as listed in this example:

    access-list acl_outside remark Permit ONLY WWW and SMTP traffic
    access-list acl_outside permit tcp any host 10.0.0.1 eq www
    access-list acl_outside permit tcp any host 10.0.0.2 eq smtp
    access-list acl_outside deny <protocol> any any (repeat for all PIX
    support protocols?)

    I know the IOS ACL's have an implicit deny statement. I wasnt sure
    what the proper method would be for the PIX concerning deny statements.
    Any thoughts?

    Thanks
    Falken
     
    falken7, Jan 24, 2005
    #1
    1. Advertisements

  2. Falken - The PIX ACLs also have an implicit deny at the end, so the two
    permits are enough. However, if you want to watch hitcounts on denials
    for some reason, then put the explicit deny in. Replace <protocol>
    with "ip" and that's all you need - see below.

    access-list acl_outside remark Permit ONLY WWW and SMTP traffic
    access-list acl_outside permit tcp any host 10.0.0.1 eq www
    access-list acl_outside permit tcp any host 10.0.0.2 eq smtp
    access-list acl_outside deny ip any any
     
    The Green Manalishi, Jan 24, 2005
    #2
    1. Advertisements

  3. :I have a question regarding PIX ACL designs.

    :I know the IOS ACL's have an implicit deny statement.

    PIX has implicit deny as well, on all access-lists.

    There are only two permit-by-default behaviours that I can
    think of for the PIX:

    1) If you do not have an access-group applied to an interface,
    but you do have suitable nat/global or static statements, then
    traffic will be permitted to all lower-security interfaces. If,
    though, you have even a one-line ACL (even just a 'remark')
    applied via an access-group then the behaviour changes to denying
    everything that is not permitted.

    2) By default, all icmp address to the PIX itself is permitted.
    You should use appropriate 'icmp' commands to restrict the ICMP
    permitted to the PIX itself. Note that access-lists and ACLs have
    no effect on traffic -to- the PIX itself.
     
    Walter Roberson, Jan 25, 2005
    #3
  4. falken7

    falken7 Guest

    Thanks guys - this explanation helps. I assumed the PIX had an
    implicit deny but wanted to make sure.
     
    falken7, Jan 25, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.