Access List

[staboogie]

I'm converting my conduits to access lists on a pix 506e and wanted to make sure everything looked correct. Please let me know if anyone sees anything out of order.
conduit permit icmp any any
conduit permit tcp host exchange eq smtp any
conduit permit tcp host exchange eq pop3 any
conduit permit tcp host exchange eq domain any
conduit permit tcp host exchange eq

http://www any

conduit permit tcp host exchange eq https any
conduit permit tcp host mx1 eq smtp any
conduit permit tcp host mx1 eq domain any
conduit permit tcp host mx2 eq smtp any
conduit permit tcp host mx2 eq domain any
conduit permit tcp host 12.14.112.99 eq 1723 any
conduit permit gre any any
conduit permit tcp host 12.14.112.x eq 1723 any
conduit permit tcp host 12.14.112.x eq https any
conduit permit tcp host 12.14.112.x host 164.109.44.x
conduit permit tcp host 12.14.112.x host 12.14.112.x
conduit permit tcp host 12.14.112.x eq 1433 host 164.109.44.x

I'm changing it to
access-list 103 permit icmp any any
access-list 103 permit gre any any
access-list 103 permit tcp any host exchange eq smtp
access-list 103 permit tcp any host exchange eq pop3
access-list 103 permit tcp any host exchange eq domain
access-list 103 permit tcp any host exchange eq www
access-list 103 permit tcp any host exchange https
access-list 103 permit tcp any host mx1 eq smtp
access-list 103 permit tcp any host mx1 eq domain
access-list 103 permit tcp any host mx2 eq smtp
access-list 103 permit tcp any host mx2 eq domain
access-list 103 permit tcp any host 12.14.112.x eq 1723
access-list 103 permit tcp any host 12.14.112.x eq 1723
access-list 103 permit tcp any host 12.14.112.x eq https
access-list 103 permit tcp host 164.109.44.x host 12.14.112.x
access-list 103 permit tcp host 164.109.44.24 host 12.14.112.x eq 1433
access-list 103 permit tcp host 12.14.112.109 host 12.14.112.x
access-group 103 in interface outside

Thanks for any help. All the IPs are right, just want to make sure the syntax for access lists are good.

 

[yizhar]

HI.

The command syntax seems fine, but I would redefine the network policy and check if you realy need all those ports open.

For example:
> access-list 103 permit tcp any host exchange eq domain
Is your internal Exchange server acting as a DNS server for *EXTERNAL CLIENTS*?


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[staboogie]

Is it better to first clear the conduits or to put the access list in first?

 

[yizhar]

HI.

> Is it better to first clear the conduits or to put the access list in first?
It does not matter.
The end result is what matters.
As far as I know, once you apply an ACL to interface, it in effect overrides the conduit statements, but you should make all the changes at once so the order does not realy matter.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[staboogie]

I have the access-list in, there are 2, one access-list for our VPN is bound to the outside. The other (rules) has the command access-group on it. Yet I cannot use the PDM because it says that it does not support multiple users of a given access list. Is something wrong?

 

[yizhar]

HI.

The access-list 103 above should bound to interface outside only.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[staboogie]

What command should I use to bind it to the outside?

 

[yizhar]

access-group


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar