Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-list behavior when applied to "inside" interface 1

Status
Not open for further replies.
asafayan

asafayan

IS-IT--Management
Aug 2, 2001
14
US
If I apply the following access-list to the "inside" interface:

access-list frominside deny tcp any host x.x.x.x

Is the behavior the same as the router IOS code? IOW, is their a implied deny any any and basically no other traffic will be allowed from the "inside" interface subnet through the PIX, UNLESS it is specifically allowed with a permit statement?

TIA
 
Sort by date Sort by votes
Yizhar,

Do I have to re-apply the access-group statement everytime I make an entry in the access-list?
 
Upvote 0 Downvote
Hi,

I was on the Cisco beta-team for the PDM. It is far better now than it was in it's original incarnation.

BTW, I am at a new site and they are running a PIX 520 with 5.3(2) code. They are running ACLs, not conduits...do you know of any serious issues with just upgrading this device to 6.14 GD code? They have a boat-load of ACLs, SSH, Websense, a few alias commands...basically nothing that would seem to be a problem. I am just concerned that maybe some CLI syntax has changed and may not convert over accurately to the new 6.14 code.

Regards,

Amir
 
Upvote 0 Downvote
HI.

Why not upgrade to the latest 6.2x version?

With the few upgrades that I have done, it was a small and simple scenario and I reconfigured it even if it was not needed, so I don't know the answer.

In general, the ACL syntax is the same, but some other defaults have changed that might affect the proccess.

If you have a program or script to analyze syslog messages, then you should know that version 6.2 changes them.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I believe your question was:

"Yizhar,

Do I have to re-apply the access-group statement everytime I make an entry in the access-list? "

The answer to that is yes, your command
no access-list frominside
wipes the list and unapplies it from the interface it was applied to.
Bud
 
Upvote 0 Downvote
Thanks Packethead. I understand why you would have to re-apply the access-group statement if you killed the access-list with a "no access-list" statement...what I asked Yizhar was whether you had to re-apply the access-group statement if you added to an existing access-list.
 
Upvote 0 Downvote
Allow me to help beat this semi-dead horse. the anwer is more likely to be: It depends.

Let's say your access-list was nthing more than a dny statement:
access-list frominside deny ip any host xxx.xxx.xxx.xxx

Now you wanted to add HTTP access out. In this case you would NOT have to reapply the access-list. You just type in:
access-list frominside permit tcp any any eq www

Your access-list would now be the following two lines:
access-list frominside deny ip any host xxx.xxx.xxx.xxx
access-list frominside permit tcp any any eq www

If you wanted to add another permit statement, you still would NOT have to reapply the access-list.

Nopw let's say you wanted to deny another host. In this case you WILL have to reapply the access-list. This is because you need this deny statement above all the permits since ACLs match from first rule down.
 
Upvote 0 Downvote
Thanks for that clarification. ACLs and their behavior are serious mind-benders...I don't know about you, but I have to look at them very carefully to fully grasp the effect. Particularly when your PIX has 120 entries over 4 interfaces! I just inherited this network/firewall and am trying to get my arms around it. Many of them are ACLs applied to the INSIDE interface to filter "outbound" traffic.

 
Upvote 0 Downvote
HI Again.

Having long access-list is another reason to upgrade - the latest version has something called "turbo access-list" which is supposed to speed up acl proccessing.
I didn't try it in the field but it may improve your pix performance.

There are also new "grouping" options that can help you make a more readable and manageable configuration.


Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
We do outbound ACLs on all our interfaces. My biggest firewall is a PIX 535 with 10 interfaces and approximately 170 lines in ACLs. I tried the turbo ACL , but it didn't seem to do much if anything. This was probably due to the fact that a 535 is pretty fast in it's own right. I'd like to try it on a 515 some day.

I've always felt having outbound ACLs is a good idea because it applies fw best practice "that which is not permitted is denied," and you'd be surprised what ports are going out your firewall!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
273
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
294
Johnkite
Johnkite
DROFNUD
  • Locked
  • Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
54
DROFNUD
DROFNUD
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
355
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top