PIX Access Control List and content filtering (1)

PIX Access Control List and content filtering (1) configure the PIX Firewall to selectively allow certain traffic through its interface. These configuration methods are: based on the source address or destination address; based on the service type; based on authentication, authorization, and billing (AAA) requirements; based on content or target URL. Www.2cto.com ACL is a list of traffic control maintained by routers and PIX firewalls. Content filtering can prevent specific types of content (such as Java applets and ActiveX Controls) from entering your network. It can also be used to control and block access to restricted web sites by hosts inside the network. 1. the access control list uses the access-list and access-group commands to implement the ACL. The access-list command is used to create an ACL. The access-group command is used to bind an ACL to a specific interface of the router or the PIX Firewall. You can use the access-group command to bind only one ACL to an interface. Unlike a Cisco IOS router, the access-group command on the PIX Firewall can only bind the ACL to the inbound traffic of any interface. However, the PIX Firewall can still control outbound traffic (for example, from the inside interface to the outside interface ), however, you must use the access-group acl_id in interface inside command to bind the ACL to the inside interface to control the traffic from the internal host to the inside interface. The access-list and access-group commands can replace outbound or conductor commands, and the access-list and access-group commands have a higher priority. When used to allow or deny traffic, the access-list Command follows the same principles and rules as the conducting command. The following are the rules used to design and implement the ACL: ● from high to low security: www.2cto.com-use the ACL to Restrict outbound traffic; -The source address in the ACL command is the actual address of the host or network. ● Low to high security:-use ACL to limit inbound traffic;-the destination address in the ACL command is the converted global address. The access-list command allows you to specify whether to allow or deny an IP address to access a port or protocol. By default, all accesses in the access list are rejected. Therefore, it must be explicitly stated when access is allowed. Added support for ACL editing and commenting in the PIX Firewall 6.3. In this version, you can specify the row number for a specific ACL entry and place it in any location in the ACL. When the host IP address is used as the source or destination address, you can use the keyword host to replace the network mask 255.255.255.255. For example, the following ACL allows FTP traffic to host 192.168.1.1: the access-list SAMPLEACL permit tcp any host 192.168.1.1 eq ftp show access-list command can list the access-list Command statements in the configuration, you can also list matching hit statistics for each element in the access-list command search process. In version 6.3, you can also display all comments added to the ACL and the row numbers of each entry. The clear access-list Command deletes all access-list statements from the configuration. If the acl_id parameter in the clear access-list command is specified, only the ACL corresponding to the parameter is deleted. If the counters option is specified, the matching hit statistics of the specified ACL will be cleared. When you use the clear access-list Command, all traffic related to the affected access-list command statement will be blocked through the PIX Firewall. When you use the no access-list command, if the provided Parameters match the existing command, the command will be deleted from the configuration. When you use the no access-list command and only specify the name of the relevant ACL, the entire ACL will be deleted. For example, no access-list out_in. If all access-list statements in an ACL group have been deleted, the no access-list command is equivalent to deleting the corresponding access-group command from the configuration. In addition to the order in which subnet masks are processed, the access-list command has the same syntax in the PIX Firewall as in Cisco IOS software. For example, if the subnet mask specified by the access-list command in Cisco IOS is 0.0.255, the access-list command in the PIX firewall will specify the subnet mask as 255.255.255.0. The following lists the syntax of the access-list command: access-list acl_ID [line line_num] deny | permit protocol source_addr source_mask [operator port [port] destination_addr destination_mask operator [port [port] access-list acl_ID [line line_num] deny | permit icmp source_addr source_mask destination_addr destination_mask [icmp_type] access-list acl_ID [line line_num] remark textshow access-list clear access-list [acl_ID] [Cl_ID counters] For inbound connections, destination_addr refers to the address after NAT translation; for outbound connections, source_addr refers to the address without NAT translation. The access-group command is used to bind an ACL to an interface. ACL is used to control the inbound traffic of an interface (unlike the ACL on a router, there is no outbound ACL on the PIX ). You can use the access-group command to bind only one ACL to an interface. The no access-group command can be used to unbind the access control list (ACL) bound to interface_name using the acl_ID parameter. The show access-group command is used to list the ACLs currently bound to an interface. The clear access-group Command deletes all entries in the ACL indicated by the acl_ID parameter. If the acl_ID parameter is not specified, all access-list statements in the configuration will be deleted. The following lists the syntax of the access-group command: access-group acl_ID in interface interface_nameno access-group acl_ID in interface interface_nameshow access-group acl_ID in interface interface_nameclear access-group ● acl_ID -- name associated with the given ACL ● in interface -- in interface filter inbound packets on a given interface ● interface_name -- Name of the network interface nat command can enable NAT address translation for the host or network. Nat access-list implements policy nat Based on the NAT command. You can only perform NAT translation on the traffic that matches the entries in the access control list ACL. You can also use the nat 0 access-list command to not convert the traffic that matches the ACL entries. The following lists the syntax of the nat access-list command: nat [(if_name)] nat_id access-list acl_name [outside] ● if_name -- Internal Network Interface Name. If this interface is bound with an ACL, The if_name parameter is the name of the interface with a higher security level ● nat_id -- an integer between 0 and 65535. If the value of nat_id is 0, the traffic that matches the ACL is not converted to NAT. If the nat_id value is between 1 and 65535, enable the policy NAT ● access-list -- this parameter associates the nat 0 command with the access-list Command ● acl_name -- used to identify the name of the access-list command statement ● outside -- used to specify apply the nat command to the outside interface address. The following example shows that the nat 0 access-list command can enable the internal host 10.0.0.11 to connect to the external host 10.2.1.3 without converting the NAT address. Pixfirewall (config) # access-list NONAT permit ip host 10.0.0.11 host 10.2.1.3pixfirewall (config) # nat (inside) 0 access-list NONAT Turbo ACL a typical ACL is composed of multiple ACL entries, which are organized in order within the PIX Firewall to form a linked list. When the access control list is used to process data packets, the PIX Firewall searches for the linked list sequentially to find matched entries. The matched entries are used to decide whether to forward or discard the data packet. In linear search, the average search time is proportional to the ACL size. The Turbo ACL allows the PIX Firewall to re-edit the ACL table to increase the average search time when the ACL contains a large number of entries. You can enable this feature for all ACLs first, and then disable this feature for a specific ACL. You can also enable this feature for a specific ACL. For shorter ACLs, the Turbo ACL feature does not improve performance. The time required by a Turbo ACL to query an ACL of any length is roughly the same as the time required to perform a regular query in an ACL consisting of 12 to 18 entries. Therefore, the Turbo ACL feature is both enabled and used only on 19 or more ACLs. The Turbo ACL requires at least 2000 MB of memory and about 1 MB of memory is required for each ACL entries. The actually required promotion is related not only to the number of entries in the ACL, but also to the complexity of the entries. Therefore, it is suitable for high-end PIX firewalls, such as the PIX Firewall 525 or 535. When an entry is added or deleted in the ACL that enables the Trubo ACL feature, the internal data table associated with the ACL is regenerated, this burden on the CPU Of the PIX Firewall cannot be ignored. The 501-type PIX Firewall does not support Turbo ACL. The Turbo ACL feature can be configured in a unified manner, or configured individually for each ACL. You can use the access-list compiled command to enable the Turbo ACL feature for all 19 or more ACLs. This command will enable the Turbo ACL process to scan all existing ACLs. During the scan, the Turbo configuration flag is added to each ACL and the ACL containing more than 19 entries is edited. You can use the access-list acl_ID compiled command to enable the turbo ACL feature for a separate ACL. You can also disable this feature by using the no form of the command after uniformly configuring the Turbo ACL. By default, the no access-list compiled command scans all edited ACLs In the Turbo ACL processing process of the PIX Firewall and marks each ACL as non-Turbo, all existing Turbo ACL structures are also deleted. Run the show access-list command to view the Turbo ACL Configuration. When the Turbo ACL is configured, this command outputs the memory usage of each URL edited by the Turbo and the memory usage shared by all the ACLs, if no ACL is edited by Turbo, Turbo statistics are not output.