Enquiry about some PIX commands

[zacca]

Hi there,

I'm new to Cisco PIX firewall. Recently engineer from vendor came to setup a PIX515e, I read the config file & have many commands don't understand, could you please help to explain?

Q: I don't understand what these for?
object-group service IKE_PROTOCOL udp
port-object eq isakmp
port-object eq 1701

Q: I don't understand why I need to do acces-list for internal lan segment?
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq domain
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq www
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq https
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq ftp
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq ftp-data
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq pop3
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq smtp
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq telnet

Q: I don't understand what this for?
icmp permit any inside

Q: I don't understand the 2nd nat (inside) command, what for?
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 10.1.1.0 255.0.0.0 0 0

Q: I don't understand what these for?
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

Q: Is that means only the listed ip addr can run PDM?
http 10.1.1.100 255.255.255.255 inside
http 10.1.1.91 255.255.255.255 inside
http 10.1.1.771 255.255.255.255 inside

Thanks in advance for your super help!

 

[AJ1982]

Q: I don't understand what these for?
object-group service IKE_PROTOCOL udp
port-object eq isakmp
port-object eq 1701

====

Its ok, neither do I....

====
Q: I don't understand why I need to do acces-list for internal lan segment?
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq domain
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq www
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq https
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq ftp
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq ftp-data
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq pop3
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq smtp
access-list inside_access_in permit tcp 10.1.1.0 255.0.0.0 any eq telnet

===

This is permitting selected traffic on the 10.1.1.0 network outside access. We have a scenario where similar ports are enabled for our student subnets, but our server subnets simply have any any.

===
Q: I don't understand what this for?
icmp permit any inside

===

Guessing its allow pings to the PIX, look that one up if I were you.

===
Q: I don't understand the 2nd nat (inside) command, what for?
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 10.1.1.0 255.0.0.0 0 0

===

Translates this traffic onto the outside interface. If the traffic is not translated it cannot pass through. For a collection of hosts (are student subnets) we have

nar (inside) 0 192.168.0.50 255.255.255.0

but for a specific server, we translate it to a specific IP address on the outside.

static (inside,outside) internalIP outside IP

====
Q: I don't understand what these for?
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
====

If you know routers, its the ip access-group command. In simple terms this assigns an access-list to an interface on a device.

====
Q: Is that means only the listed ip addr can run PDM?
http 10.1.1.100 255.255.255.255 inside
http 10.1.1.91 255.255.255.255 inside
http 10.1.1.771 255.255.255.255 inside
====

Correct, this also explains the TELNET command.

====

Hope this is of use.

Ta

Fat



===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)