PIX Access Control List and content filtering (3)

3. Use ACL

In the following network, use the ACL named acl_out On The inside interface to control inbound traffic. This ACL rejects HTTP connections from the internal network, and allows all other IP addresses to pass through. Using this ACL on the inside interface allows internal users to establish external connections. To allow outbound connections, the internal network address (10.0.0.0) is dynamically converted from 192.168.0.20 to 192.168.0.254.

The following lists the ACL configurations for implementing the network topology.
Pixfirewall (config) # write terminal
...
Nameif ethernet0 outside sec0
Nameif ethernet1 insside sec100
Access-list acl_out deny tcp any eq www
Access-list acl_out permit ip any
Access-group acl_outin interface inside
Nat (inside) 1 10.0.0.0 255.255.255.0
Global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

For the network shown in, use the ACL named acl_in_dmz on the outside interface to control inbound traffic. This ACL only allows Web connections from the Internet web server through port 80, and denies access from all other IP addresses to DMZ or internal networks. When you access a web server on DMZ from an external network, You Need To statically convert the external address (192.168.0.11) to the address of the DMZweb server (172.16.0.2 ).

The following lists the ACL configurations for implementing the network topology.
Pixfirewall (config) # write terminal
...
Nameif ethernet0 outsidesec0
Nameif ethernet1 inside sec100
Nameif ethernet2 dmz sec50
Ip address outside 192.168.0.2 255.255.255.0
Ip address dmz 172.16.0.1 255.255.255.0
Static (dmz, outside) 192.168.0.11 172.16.0.2
Access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www
Access-list acl_in_dmz deny ip any
Access-group acl_in_dmz in interface outside

For the network shown in, use the ACL named acl_partner on the Partnernet network interface to control inbound traffic. This ACL only allows the host in the 172.18.0.0/28 network to access the Web server in the DMZ through the web connection of the statically converted address, and rejects all other traffic from the Partnernet network. Use the ACL named acl_dmz_in on the DMZ interface to control inbound traffic. This ACL only allows mail access from the internal mail server of the host 172.16.0.4 to the inside interface, and rejects all other traffic from the DMZ network.

The following lists the ACL configurations that meet the preceding requirements:
Pixfirewall (config) # write terminal
...
Nameif ethernet0 outside sec0
Nameif ethernet1 inside sec100
Nameif ethernet2 dmz sec50
Nameif ethernet3 partnernet sec40
Static (dmz, partnernet) 172.18.0.17 172.16.0.2
Static (inside, dmz) 172.16.0.11 10.0.0.4
Access-list acl_partner permit tcp 172.18.0.0 255.255.255.0 host 172.18.0.17 eq www
Access-group acl_partner in interface partnernet
Access-list acl_dmz_in permit tcp host 172.16.0.4 host 172.16.0.11 eq smtp
Access-group acl_dmz_in interface dmz

In the VPN solution shown in, the PIX Firewall has two dedicated interfaces connected directly to the Cisco Virtual Private Network (VPN) concentrator. The dmz interface is connected to the public interface of the VPN concentrator, while the dmz2 interface is connected to the private interface of the VPN concentrator. The VPN concentrator can be configured to assign an address to the VPN Client from the address pool 10.2.21.33-62. A static route is defined for the outbound traffic to the VPN Client on the PIX Firewall. To allow communication between the VPN Client and the host in the internal network of the PIX Firewall, You need to configure a static switch on the PIX Firewall.

Configure the following two ACLs on the PIX Firewall to control inbound traffic from the Internet to the internal network of the PIX Firewall and outbound traffic from the VPN Client to the internal network of the PIX Firewall:
● An ACL named IPSEC allows HTTPS traffic from the Internet to the public interface on the VPN concentrator, and only IPSEC traffic to the VPN concentrator is allowed.
● The ACL named WEB allows HTTP traffic from the VPN Client (10.0.21.33-62) to the internal Web Server (10.0.0.10.

The following lists the ACL configurations required to implement this VPN environment.
Pixfirewall (config) # write terminal
...
Static (dmz, outside) 192.168.0.12 172.16.0.5 netmask 255.255.255.255 0
Static (inside, dmz) 10.0.21.10 10.0.0.10 netmask 255.255.255.255
Route dmz2 10.0.21.32 255.255.255.255.172.18.0.5 1
Access-list IPSEC permit tcp any host 192.168.0.12 eq 443
Access-list IPSEC permit esp any host 192.168.0.12
Access-list IPSEC permit udp any host 192.168.0.12 eq isakmp
Access-group IPSEC in interface outside
Access-list WEB permit tcp 10.0.21.32 without authorization 255.255.255.10.0.21.10 without authorization 255.255 eq www
Access-group WEB in interface dmz2

Icmp command

You can allow or disable the PING operation on the PIX Firewall. If PING is disabled, the PIX Firewall cannot be found in the network. You can use the icmp command to implement this function.

By default, you cannot ping An interface on the PIX Firewall through the PIX Firewall. For example, if the internal host cannot ping the outside interface on the PIX Firewall, it can ping the inside interface on the PIX Firewall.

When using the icmp command, configure the icmp command statement to allow or reject ICMP traffic terminated on the PIX Firewall. If the first matched entry contains permit, the ICMP packet will continue to be processed. If the first matched entry contains deny or no matched entry, the PIX Firewall rejects the ICMP packet and generates the % PIX-3-313001 System Log message. If no icmp command is configured, the default value is permit.

Cisco recommends that you allow the ICMP unreachable information type (Type3 ). Once the ICMP unreachable information is rejected, the maximum transmission unit (MTU) of the ICMP path cannot be automatically discovered, and the IP Security (IPsec) and Point-to-Point Tunneling (PPTP) traffic will be interrupted.

The clear icmp command is used to delete icmp command statements from the configuration.

The syntax of the icmp command is as follows:
Icmp permit | deny arc_addr src_mask [icmp-type] if_name
Clear icmp
Show icmp
● Permit/deny -- indicates that an interface on the PIX Firewall can be pinged or denied.
● Src_addr: indicates the IP address of the interface on the PIX Firewall that is allowed or prohibited from being pinged. Use host src_add to specify a single host
● Src_mask -- (optional) network mask. This parameter is required if a network is specified.
● Icmp-type -- ICMP Message type
● If_name -- the name of the interface that allows ping

The following example disables ICMP echo-replies messages on the outside interface and allows ICMP unreachable messages.
Pixfirewall (config) # icmp deny any echo-reply outside
Pixfirewall (config) # icmp permit any unreachable outside