118 Chapter 7: Configuring Access
action to restrict access when using an outbound access list. Due to this fact, for outbound access lists, you must deny first and permit after.
For example, if you wanted to restrict users on the inside interface from accessing a website at address 172.16.68.20 on the outside interface, you would use the commands shown in Example 7-2.
Example 7-3 Restricting Inside Users’ Access to an External Web Server on Port 80
pixfirewall(config)# access-list acl_in deny tcp any host 172.16.68.20 eq www pixfirewall(config)# access-list acl_in permit ip any any pixfirewall(config)# access-group acl_in in interface inside
This access list configuration lets any user start WWW connections, with the exception of 172.16.68.20.
NOTE Starting with Cisco PIX Firewall OS version 5.3, access lists are the preferred method of managing network access. The conduit command was used in earlier versions. Access lists provide improved flexibility. However, the conduit command is still supported to maintain backward compatibility with configurations written for previous PIX Firewall versions.
TurboACL
TurboACL is a feature introduced with Cisco PIX Firewall version 6.2 that improves the average search time for access control lists (ACLs) containing a large number of entries. The search time for long ACLs is improved because this feature causes the PIX to compile tables for ACLs.
The TurboACL feature can be enabled globally on the entire PIX Firewall and then disabled for specific ACLs. It can also be enabled for only specific ACLs. Search performance improvement is seen in ACLs that have more than 19 ACEs. For ACLs that contain few ACEs, TurboACL does not improve performance. The TurboACL feature is applied only to ACLs with 19 or more entries. The implementation of TurboACL in PIX Firewall version 6.2 supports access lists with up to 16,000 access list entries.
The minimum memory required for TurboACL is 2.1 MB. Approximately 1 MB of memory is required for every 2000 ACL elements. High-end PIX Firewall models, such as the PIX 525 and PIX 535, are the most appropriate for memory-demanding TurboACL.
NOTE Because some models of Cisco PIX Firewall, such as the PIX 501, have limited memory, implementing the TurboACL feature might cause problems, such as not being able to load Cisco PIX Device Manager.
Object Grouping 119
Configuring Individual TurboACL
The individual TurboACL command can be used to enable Turbo configuration for individual ACLs when TurboACL is not globally enabled. The syntax of this command is as follows:
[no] access-list acl_name compiled
This command is used to individually enable or disable TurboACL on a specific ACL. The acl_name parameter in the command must specify an existing ACL. This command causes the TurboACL process to mark the ACL specified by acl_name as Turbo-configured and Turbo-compiles the ACL if the ACL has 19 or more ACEs and has not yet been Turbocompiled.
If you enter the no form of this command, the TurboACL process deletes the TurboACL structures associated with the ACL and marks the ACL as non-Turbo.
Globally Configuring TurboACL
The syntax for enabling TurboACL for the entire PIX is as follows:
[no] access-list compiled
This configures TurboACL on all ACLs having 19 or more entries. This command causes the TurboACL process to scan all existing ACLs. During the scan, it marks and Turbocompiles any ACL that has 19 or more ACEs and has not yet been Turbo-compiled.
The command no access-list compiled, which is the default, causes the TurboACL process to scan all compiled ACLs and mark every one as non-Turbo. It also deletes all existing TurboACL structures.
Object Grouping
Another feature that is incorporated into the PIX 6.2 software is object grouping. This lets you group objects such as hosts (servers and clients), services, and networks and apply security policies and rules to the group. Object grouping lets you apply access rules to logical groups of objects. When you apply a Cisco PIX Firewall command to an object group, the command affects all network objects defined in the group. This can reduce a very large number of access rules to a manageable number. This in turn reduces the time spent configuring and troubleshooting access rules in large or complex networks.
The syntax for creating object groups is
[no] object-group object-type grp-id
Use the first parameter, object-type, to identify the type of object group you want to configure. There are four options:
•network
•protocol
120Chapter 7: Configuring Access
•service
•icmp-type
Replace grp-id with a descriptive name for the group.
network object-type
The network object group is used to group hosts and subnets. Server and client hosts can be grouped by functions. For example, mail servers, web servers, or a group of client hosts that have special privileges on the network can be grouped accordingly.
Example 7-3 shows a web_servers object group.
Example 7-4 Configuring an Object Group
pixfirewall(config)# object-group network web_servers pixfirewall(config-network)# description Public web servers pixfirewall(config-network)# network-object host 192.168.1.12 pixfirewall(config-network)# network-object host 192.168.1.14 pixfirewall(config-network)# exit
pixfirewall(config)# access-list 102 permit tcp any object-group web_servers eq www pixfirewall(config)# access-group 102 in interface outside
Notice that when you enter the object-group command, the system enters the appropriate subcommand mode for the type of object you are configuring. In this case, you see the config-network subcommand prompt. network-object host adds the host to the network object group. The description is optional, but it is helpful to have it in there.
NOTE It is also possible to use a name instead of an IP address when defining the network host. For example:
(config)# object-group network mis_ftp_servers (config-network)#network-object host mis.ftp.server01 (config-network)#network-object host mis.ftp.server02 (config-network)#network-object mis.ftp.server01
(config-network)#exit
To display the configured object group, use the show object-group command, as shown in Example 7-4.
Example 7-5 Displaying Configured Object Groups
pix(config)# show object-group object-group network web_servers
description: Public web servers network-object host 192.168.1.12 network-object host 192.168.1.14
Object Grouping 121
protocol object-type
The protocol object-type identifies a group of IP protocols using keywords such as icmp, tcp, udp, or an integer in the range of 1 to 254 representing an IP protocol number. The syntax for the command is object-group protocol grp-id. To add a single protocol to the current protocol object group, use the protocol-object protocol command. Example 7-5 shows how to use object-group protocol subcommand mode to create a new protocol object group.
Example 7-6 Creating a New Protocol Object Group
config)# object-group protocol_grp_citrix
(config-protocol)#protocol-object tcp
(config-protocol)#protocol-object citrix
(config-protocol)#exit
service object-type
The service object-type identifies port numbers that can be grouped. This is particularly useful when you’re managing an application. The syntax for service object-type is
[no] object-group service obj_grp_id tcp | udp | tcp-udp
As soon as you are in the service subcommand, the command port-object eq service adds a single TCP or UDP port number to the service object group. port-object range begin_service end_service adds a range of TCP or UDP port numbers to the service object group. Example 7-6 shows how to use object-group service subcommand mode to create a new port (service) object group.
Example 7-7 Creating a New Port (Service) Object Group
config)# object-group service mis_service tcp
(config-service)#port-object eq ftp
(config-service)#port-object range 5200 6000
(config-service)#exit
icmp-type object-type
ICMP object groups can be created to group certain types of ICMP messages. For example, ICMP messages of echo-reply, echo, and unreachable with numerical values of 8, 0, and 3, respectively, can be grouped as shown in Example 7-7.
Example 7-8 Grouping ICMP Messages
pix(config)# object-group icmp-type icmp_test pix(config-icmp-type)# icmp-object 0 pix(config-icmp-type)# icmp-object 3 pix(config-icmp-type)# icmp-object 8
122 Chapter 7: Configuring Access
Nesting Object Groups
You can add an object group within an object group. The object-group command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration. To nest an object group within another object group, use the group-object command. Example 7-8 illustrates the use of nested object groups.
Example 7-9 Configuring Nested Object Groups
pixfirewall(config)# object-group network Public_servers pixfirewall(config-network)# description Public servers pixfirewall(config-network)# network-object host 192.168.1.18 pixfirewall(config-network)# group-object web_servers
pixfirewall(config)# object-group network web_servers pixfirewall(config-network)# description web servers pixfirewall(config-network)# network-object host 192.168.1.12 pixfirewall(config-network)# network-object host 192.168.1.14
Using the fixup Command
The ports that are specified by the fixup command are the services that the PIX listens for. The fixup command can be used to change the default port assignments or to enable or disable application inspection for the following protocols and applications:
•
•
•
•
•
•
•
•
•
•
FTP
H.323
HTTP
Internet Locator Service (ILS)
Remote Shell (RSH)
Real-Time Streaming Protocol (RTSP)
Session Initiation Protocol (SIP)
Skinny (or Simple) Client Control Protocol (SCCP)
Simple Mail Transfer Protocol (SMTP)
SQL*Net
The basic syntax for the fixup command is as follows:
[no] fixup protocol [protocol] [port]
To change the default port assignment, identify the protocol and the new port number to assign. Use the no fixup protocol command to reset the application inspection entries to the default configuration. The clear fixup command removes fixup commands from the configuration you added. However, it does not remove the default fixup protocol commands.