Cisco PIX 506e Access 2

[schroednic]

Hi All;

I would like to edit the config on my PIX 506e to open up a FTP port, but need to know the exact steps/procedures.


1.) I can remote in via the LAN with Hyperterm.

2.) Can probably use a system to console in if necessary.


Here’s part of the config for the ACL I would like to update:


access-list outside_in permit tcp any host <public IP> eq www

access-list outside_in permit tcp any host <public IP> eq https



Would this be the correct access list entry for ftp to this system?


access-list outside_in permit tcp any host <public IP> eq ftp



I just need to know:

1.) Once I remote in, can I somehow place this acl line right below the https one?

2.) Can I use a TFTP program and move a text file config onto the PIX?

What would be the exact commands, I'm use to GUI's on firewalls like sonic and watchguard.
Thanks in advance, Steve

 

[burtsbees]

1).Yes
2).Yes

That is the correct command...

pix>en
pix#conf t
pix(config)#
access-list outside_in permit tcp any host <public IP> eq ftp


Burt

 

[schroednic]

Hey thanks Burt;


How would I cancel/delete that ftp entry once I'm done with that service off my server? Is it just this:

no access-list outside_in permit tcp any host <public IP> eq ftp


Also I've tried to view stats on the interfaces to watch traffic, via some show commands, but are there any log commands to show IP traffic over a certain time frame?

Thanks again in advance, Steve

 

[burtsbees]

That's right. I am not too hip on a lot with the PIX,mostly routers, but do you have PDM installed?

Burt

 

[VinceWhirlwind]

The interesting logging you want to see are the "Deny"s that occur if you got the rule wrong.
Then you can test/view log/adjust rule until it works.

Ideally, point your PIX at a syslog server, or you can filter your logging to see "Deny"s using this general idea:

logging enable
logging list datanet-list level warnings
logging list datanet-list message 106015-106023
logging list datanet-list message 104001-104005
logging buffer-size 16384
logging buffered datanet-list

 

[burtsbees]

Well, if it's on a Windows box, I always look at C:\WINDOWS\System32\Logfiles, and I log hourly. Usually, a good firewall like the PIX/ASA or an IOS firewall (with Advanced Security or Advanced Enterprise like I have) will do a good deep packet inspection and kill the ftp hacker wannabe script kiddies from the University of Beijing. It usually sees a UDP bomb as the hackers try the ole dictionary attack on the username/password.
Sometimes I even open up Wireshark and log the sessions that way as well. Either of these methods work much better in my opinion, but Vince has a good idea.

Burt

 

[schroednic]

Thanks for the replies on the PIX logs.

Yea windows offers up the minimal logs in the sys32 directory as in regards to maybe an IP address (if not spoofed) with Gets, Puts, Posts.

I'll try the syslog system. Man I got spoiled with Watchguard in that with the GUI I could see all dynamic traffic along with searching daily/weekly logs for rouge IP addresses sniffing ports and then blocking those suckers out.

 

[VinceWhirlwind]

Yes - I hate PIXs, much prefer Checkpoint.