Need to know how to add access-lists in PIX 560

[GoldNKid]

I'm banging my head against the wall. I'm working for a client who had this firewall configured by another vendor, no longer in business, and I know nothing about PIXs but am firewall literate. I've read the info on

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/config.htm#xtocid2081538

and

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/commands.htm#xtocid2254111

but I cannot seem to enter the commands needed to open up ports 21 and 5800. There seems like there should be a config module within the telnet session but entering the strings listed in the above web pages take me back to the help list.

I'm relatively certain that the access is provided by way of access-lists and not conduits:
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any
access-list acl_out permit udp any any
access-list acl_in permit tcp any host 66.109.226.35 eq www
access-list acl_in permit tcp any host 66.109.226.35 eq pop3
access-list acl_in permit tcp any host 66.109.226.35 eq smtp
conduit permit tcp host 66.109.226.35 eq 1723 any
conduit permit gre host 66.109.226.35 any
fixup protocol ftp 21

I just need to add the additional access-lists to allow ftp and 5800 for VNC. Can someone help me PLEASE!!!

Thanks for your time

 

[ChrisAC]

access-list acl_in permit tcp any host 66.109.226.35 eq www
access-list acl_in permit tcp any host 66.109.226.35 eq pop3
access-list acl_in permit tcp any host 66.109.226.35 eq smtp
access-list acl_in permit tcp any host 66.109.226.35 eq ftp
access-list acl_in permit tcp any host 66.109.226.35 eq 5800

access-group acl_in in outside

This would allow ftp and tcp port 5800 to that host from anywhere on the internet. The access list is then applied inbound on the outside interface.

Is that what you wanted?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[yizhar]

HI.

Are there any "access-group" commands in your config?
If so, post them?
If not, only "conduit" will take place, with the default of the ASA that allows outbound access, but blocks inbound access by default (unless specific conduit overrides).

It is recommended not to mix access-list and conduit commands. It can work but more dificult to manage.

If you use conduit, it can look like this:
conduit permit tcp host 66.109.226.35 eq ftp any
conduit permit tcp host 66.109.226.35 eq 5800 any

You should note that the order of addresses is reversed in conduit comparing to access-list commands.

You can use pixcript as a syntax assitant and for getting sample configurations:

http://teachers.sivan.co.il/yizhar#pixcript

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[GoldNKid]

Thanks for the feedback. I see what you guys are saying but what I have is the syntax and can't figure out how to enter it.

All I have done so far is Telnet into the PIX, enter it's password, and enabled it. I need to know what I need to enter at that prompt to enable me to add these lines of syntax to the ACL. Entering:

access-list acl_in permit tcp any host 66.109.226.35 eq ftp
access-list acl_in permit tcp any host 66.109.226.35 eq 5800
access-group acl_in in outside

at the enable prompt just brings me back to a help menu and a prompt.

Eric

 

[ChrisAC]

It's just like a router. You need to be in global config mode to enter configuration commands. It does explain this in the links you provided.

firewall>en
firewall#conf t
firewall(config)#access-list acl_in permit ... etc...
firewall(config)#access-list acl_in permit ... etc...
firewall(config)#access-group acl_in in outside
firewall(config)#<ctrl+z>
firewall#wr mem

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[jlavin]

conduits are old school.

You should stay away from them in my opinion.

Basically you create an access list with any name and then apply it to the interface you wish to have it on.