PIX Access Control List and content filtering (1)

PIX Access Control List and content filtering (1) configure the PIX Firewall to selectively allow certain traffic through its interface. These configuration methods are: based on the source address or destination address; based on the service type; based on authentication, authorization, and billing (AAA) requirements; based on content or target URL. Www.2cto. comACL is controlled by the vro and the PIX Firewall.

PIX Access Control List and content filtering (1) configure the PIX Firewall to selectively allow certain traffic through its interface. These configuration methods are: based on the source address or destination address; based on the service type; based on authentication, authorization, and billing (AAA) requirements; based on content or target URL. Www.2cto.com ACL is maintained by the vro and the PIX Firewall for control.

PIX Access Control List and content filtering (1)

You can configure the PIX Firewall to allow certain traffic to pass through its interfaces in the following ways: based on the source address or destination address; based on the service type; Based on the authentication, authorization, and billing (AAA) requirements; based on the content or target URL.

Www.2cto.com

An ACL is a list maintained by the router and the PIX Firewall to control traffic. Content filtering can prevent specific types of content (such as Java applets and ActiveX Controls) from entering your network. It can also be used to control and block access to restricted web sites by hosts inside the network.

I. Access Control List

You can use the access-list and access-group commands to implement the ACL.

The access-list command is used to create an ACL. The access-group command is used to bind an ACL to a specific interface of the router or the PIX Firewall. You can use the access-group command to bind only one ACL to an interface.

Unlike a Cisco IOS router, the access-group command on the PIX Firewall can only bind the ACL to the inbound traffic of any interface. However, the PIX Firewall can still control outbound traffic (for example, from the inside interface to the outside interface ), however, you must use the access-group acl_id in interface inside command to bind the ACL to the inside interface to control the traffic from the internal host to the inside interface.

The access-list and access-group commands can replace outbound or conductor commands, and the access-list and access-group commands have a higher priority.

When used to allow or deny traffic, the access-list Command follows the same principles and rules as the conducting command. The following are the rules used to design and implement an ACL:

● High to low security: www.2cto.com

-Use ACL to Restrict outbound traffic;

-The source address in the ACL command is the actual address of the host or network.

● From low to high security:

-Use ACL to restrict inbound traffic;

-The Destination Address in the ACL command is the converted global address.

The access-list command allows you to specify whether to allow or deny an IP address to access a port or protocol. By default, all accesses in the access list are rejected. Therefore, it must be explicitly stated when access is allowed.

Added support for ACL editing and commenting in the PIX Firewall 6.3. In this version, you can specify the row number for a specific ACL entry and place it in any location in the ACL.

When the host IP address is used as the source or destination address, you can use the keyword host to replace the network mask 255.255.255.255. For example, the following ACL allows FTP traffic to host 192.168.1.1:

Access-list SAMPLEACL permit tcp any host 192.168.1.1 eq ftp

The show access-list command can be used to list the access-list statements in the configuration, and the matching hit statistics of each element in the access-list command search process. In version 6.3, you can also display all comments added to the ACL and the row numbers of each entry.

The clear access-list Command deletes all access-list statements from the configuration. If the acl_id parameter in the clear access-list command is specified, only the ACL corresponding to the parameter is deleted. If the counters option is specified, the matching hit statistics of the specified ACL will be cleared.

When you use the clear access-list Command, all traffic related to the affected access-list command statement will be blocked through the PIX Firewall.

When you use the no access-list command, if the provided Parameters match the existing command, the command will be deleted from the configuration.

When you use the no access-list command and only specify the name of the relevant ACL, the entire ACL will be deleted. For example, no access-list out_in

If all access-list statements in an ACL group have been deleted, the no access-list command is equivalent to deleting the corresponding access-group command from the configuration.

In addition to the order in which subnet masks are processed, the access-list command has the same syntax in the PIX Firewall as in Cisco IOS software. For example, if the subnet mask specified by the access-list command in Cisco IOS is 0.0.255, the access-list command in the PIX firewall will specify the subnet mask as 255.255.255.0.

The following lists the syntax of the access-list command:

Access-list acl_ID [line line_num] deny | permit protocol source_addr source_mask [operator port [port] destination_addr destination_mask operator [port [port]

Access-list acl_ID [line line_num] deny | permit icmp source_addr source_mask destination_addr destination_mask [icmp_type]

Access-list acl_ID [line line_num] remark text

Show access-list

Clear access-list [acl_ID] [acl_ID counters]

For inbound connections, destination_addr refers to the address after NAT translation; for outbound connections, source_addr refers to the address without NAT translation.

The access-group command is used to bind an ACL to an interface. ACL is used to control the inbound traffic of an interface (unlike the ACL on a router, there is no outbound ACL on the PIX ). You can use the access-group command to bind only one ACL to an interface.

The no access-group command can be used to unbind the access control list (ACL) bound to interface_name using the acl_ID parameter.

The show access-group command is used to list the ACLs currently bound to an interface.

The clear access-group Command deletes all entries in the ACL indicated by the acl_ID parameter. If the acl_ID parameter is not specified, all access-list statements in the configuration will be deleted.

The following lists the syntax of the access-group command:

Access-group acl_ID in interface interface_name

No access-group acl_ID in interface interface_name

Show access-group acl_ID in interface interface_name

Clear access-group

● Acl_ID -- name associated with the given ACL

● In interface -- filter inbound data packets on a given interface

● Interface_name -- Name of the Network Interface

The nat command can enable NAT address translation for the host or network. Nat access-list implements policy nat Based on the NAT command. You can only perform NAT translation on the traffic that matches the entries in the access control list ACL. You can also use the nat 0 access-list command to not convert the traffic that matches the ACL entries.

The following lists the syntax of the nat access-list command:

Nat [(if_name)] nat_id access-list acl_name [outside]

● If_name -- Name of the internal network interface. If this interface is bound with an ACL, The if_name parameter is the name of the interface with a higher security level.

● Nat_id -- an integer between 0 and 65535. If the value of nat_id is 0, the traffic that matches the ACL is not converted to NAT. If the value of nat_id is between 1 and 65535, the NAT policy is enabled.

● Access-list -- this parameter associates the nat 0 command with the access-list command.

● Acl_name -- used to identify the name of the access-list command statement

● Outside -- used to apply the nat command to the outside interface address.

The following example shows that the nat 0 access-list command can enable the internal host 10.0.0.11 to connect to the external host 10.2.1.3 without converting the NAT address.

Pixfirewall (config) # access-list NONAT permit ip host 10.0.0.11 host 10.2.1.3

Pixfirewall (config) # nat (inside) 0 access-list NONAT

Turbo ACL

A typical ACL is composed of multiple ACL entries. These entries are organized in order within the PIX Firewall to form a linked list. When the access control list is used to process data packets, the PIX Firewall searches for the linked list sequentially to find matched entries. The matched entries are used to decide whether to forward or discard the data packet. In linear search, the average search time is proportional to the ACL size.

The Turbo ACL allows the PIX Firewall to re-edit the ACL table to increase the average search time when the ACL contains a large number of entries. You can enable this feature for all ACLs first, and then disable this feature for a specific ACL. You can also enable this feature for a specific ACL. For shorter ACLs, the Turbo ACL feature does not improve performance. The time required by a Turbo ACL to query an ACL of any length is roughly the same as the time required to perform a regular query in an ACL consisting of 12 to 18 entries. Therefore, the Turbo ACL feature is both enabled and used only on 19 or more ACLs.

The Turbo ACL requires at least 2000 MB of memory and about 1 MB of memory is required for each ACL entries. The actually required promotion is related not only to the number of entries in the ACL, but also to the complexity of the entries. Therefore, it is suitable for high-end PIX firewalls, such as the PIX Firewall 525 or 535. When an entry is added or deleted in the ACL that enables the Trubo ACL feature, the internal data table associated with the ACL is regenerated, this burden on the CPU Of the PIX Firewall cannot be ignored.

The 501-type PIX Firewall does not support Turbo ACL.

The Turbo ACL feature can be configured in a unified manner, or configured individually for each ACL. You can use the access-list compiled command to enable the Turbo ACL feature for all 19 or more ACLs. This command will enable the Turbo ACL process to scan all existing ACLs. During the scan, the Turbo configuration flag is added to each ACL and the ACL containing more than 19 entries is edited.

You can use the access-list acl_ID compiled command to enable the turbo ACL feature for a separate ACL. You can also disable this feature by using the no form of the command after uniformly configuring the Turbo ACL.

By default, the no access-list compiled command scans all edited ACLs In the Turbo ACL processing process of the PIX Firewall and marks each ACL as non-Turbo, all existing Turbo ACL structures are also deleted.

Run the show access-list command to view the Turbo ACL Configuration. When the Turbo ACL is configured, this command outputs the memory usage of each URL edited by the Turbo and the memory usage shared by all the ACLs, if no ACL is edited by Turbo, Turbo statistics are not output.