Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Secure PIX Firewall Advanced Exam Certification Guide - Cisco press.pdf
15.78 Mб

118 Chapter 7: Configuring Access

action to restrict access when using an outbound access list. Due to this fact, for outbound access lists, you must deny first and permit after.

For example, if you wanted to restrict users on the inside interface from accessing a website at address on the outside interface, you would use the commands shown in Example 7-2.

Example 7-3 Restricting Inside Users’ Access to an External Web Server on Port 80

pixfirewall(config)# access-list acl_in deny tcp any host eq www pixfirewall(config)# access-list acl_in permit ip any any pixfirewall(config)# access-group acl_in in interface inside

This access list configuration lets any user start WWW connections, with the exception of

NOTE Starting with Cisco PIX Firewall OS version 5.3, access lists are the preferred method of managing network access. The conduit command was used in earlier versions. Access lists provide improved flexibility. However, the conduit command is still supported to maintain backward compatibility with configurations written for previous PIX Firewall versions.


TurboACL is a feature introduced with Cisco PIX Firewall version 6.2 that improves the average search time for access control lists (ACLs) containing a large number of entries. The search time for long ACLs is improved because this feature causes the PIX to compile tables for ACLs.

The TurboACL feature can be enabled globally on the entire PIX Firewall and then disabled for specific ACLs. It can also be enabled for only specific ACLs. Search performance improvement is seen in ACLs that have more than 19 ACEs. For ACLs that contain few ACEs, TurboACL does not improve performance. The TurboACL feature is applied only to ACLs with 19 or more entries. The implementation of TurboACL in PIX Firewall version 6.2 supports access lists with up to 16,000 access list entries.

The minimum memory required for TurboACL is 2.1 MB. Approximately 1 MB of memory is required for every 2000 ACL elements. High-end PIX Firewall models, such as the PIX 525 and PIX 535, are the most appropriate for memory-demanding TurboACL.

NOTE Because some models of Cisco PIX Firewall, such as the PIX 501, have limited memory, implementing the TurboACL feature might cause problems, such as not being able to load Cisco PIX Device Manager.

Object Grouping 119

Configuring Individual TurboACL

The individual TurboACL command can be used to enable Turbo configuration for individual ACLs when TurboACL is not globally enabled. The syntax of this command is as follows:

[no] access-list acl_name compiled

This command is used to individually enable or disable TurboACL on a specific ACL. The acl_name parameter in the command must specify an existing ACL. This command causes the TurboACL process to mark the ACL specified by acl_name as Turbo-configured and Turbo-compiles the ACL if the ACL has 19 or more ACEs and has not yet been Turbocompiled.

If you enter the no form of this command, the TurboACL process deletes the TurboACL structures associated with the ACL and marks the ACL as non-Turbo.

Globally Configuring TurboACL

The syntax for enabling TurboACL for the entire PIX is as follows:

[no] access-list compiled

This configures TurboACL on all ACLs having 19 or more entries. This command causes the TurboACL process to scan all existing ACLs. During the scan, it marks and Turbocompiles any ACL that has 19 or more ACEs and has not yet been Turbo-compiled.

The command no access-list compiled, which is the default, causes the TurboACL process to scan all compiled ACLs and mark every one as non-Turbo. It also deletes all existing TurboACL structures.

Object Grouping

Another feature that is incorporated into the PIX 6.2 software is object grouping. This lets you group objects such as hosts (servers and clients), services, and networks and apply security policies and rules to the group. Object grouping lets you apply access rules to logical groups of objects. When you apply a Cisco PIX Firewall command to an object group, the command affects all network objects defined in the group. This can reduce a very large number of access rules to a manageable number. This in turn reduces the time spent configuring and troubleshooting access rules in large or complex networks.

The syntax for creating object groups is

[no] object-group object-type grp-id

Use the first parameter, object-type, to identify the type of object group you want to configure. There are four options:



120Chapter 7: Configuring Access



Replace grp-id with a descriptive name for the group.

network object-type

The network object group is used to group hosts and subnets. Server and client hosts can be grouped by functions. For example, mail servers, web servers, or a group of client hosts that have special privileges on the network can be grouped accordingly.

Example 7-3 shows a web_servers object group.

Example 7-4 Configuring an Object Group

pixfirewall(config)# object-group network web_servers pixfirewall(config-network)# description Public web servers pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit

pixfirewall(config)# access-list 102 permit tcp any object-group web_servers eq www pixfirewall(config)# access-group 102 in interface outside

Notice that when you enter the object-group command, the system enters the appropriate subcommand mode for the type of object you are configuring. In this case, you see the config-network subcommand prompt. network-object host adds the host to the network object group. The description is optional, but it is helpful to have it in there.

NOTE It is also possible to use a name instead of an IP address when defining the network host. For example:

(config)# object-group network mis_ftp_servers (config-network)#network-object host mis.ftp.server01 (config-network)#network-object host mis.ftp.server02 (config-network)#network-object mis.ftp.server01


To display the configured object group, use the show object-group command, as shown in Example 7-4.

Example 7-5 Displaying Configured Object Groups

pix(config)# show object-group object-group network web_servers

description: Public web servers network-object host network-object host

Object Grouping 121

protocol object-type

The protocol object-type identifies a group of IP protocols using keywords such as icmp, tcp, udp, or an integer in the range of 1 to 254 representing an IP protocol number. The syntax for the command is object-group protocol grp-id. To add a single protocol to the current protocol object group, use the protocol-object protocol command. Example 7-5 shows how to use object-group protocol subcommand mode to create a new protocol object group.

Example 7-6 Creating a New Protocol Object Group

config)# object-group protocol_grp_citrix

(config-protocol)#protocol-object tcp

(config-protocol)#protocol-object citrix


service object-type

The service object-type identifies port numbers that can be grouped. This is particularly useful when you’re managing an application. The syntax for service object-type is

[no] object-group service obj_grp_id tcp | udp | tcp-udp

As soon as you are in the service subcommand, the command port-object eq service adds a single TCP or UDP port number to the service object group. port-object range begin_service end_service adds a range of TCP or UDP port numbers to the service object group. Example 7-6 shows how to use object-group service subcommand mode to create a new port (service) object group.

Example 7-7 Creating a New Port (Service) Object Group

config)# object-group service mis_service tcp

(config-service)#port-object eq ftp

(config-service)#port-object range 5200 6000


icmp-type object-type

ICMP object groups can be created to group certain types of ICMP messages. For example, ICMP messages of echo-reply, echo, and unreachable with numerical values of 8, 0, and 3, respectively, can be grouped as shown in Example 7-7.

Example 7-8 Grouping ICMP Messages

pix(config)# object-group icmp-type icmp_test pix(config-icmp-type)# icmp-object 0 pix(config-icmp-type)# icmp-object 3 pix(config-icmp-type)# icmp-object 8

122 Chapter 7: Configuring Access

Nesting Object Groups

You can add an object group within an object group. The object-group command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration. To nest an object group within another object group, use the group-object command. Example 7-8 illustrates the use of nested object groups.

Example 7-9 Configuring Nested Object Groups

pixfirewall(config)# object-group network Public_servers pixfirewall(config-network)# description Public servers pixfirewall(config-network)# network-object host pixfirewall(config-network)# group-object web_servers

pixfirewall(config)# object-group network web_servers pixfirewall(config-network)# description web servers pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host

Using the fixup Command

The ports that are specified by the fixup command are the services that the PIX listens for. The fixup command can be used to change the default port assignments or to enable or disable application inspection for the following protocols and applications:




Internet Locator Service (ILS)

Remote Shell (RSH)

Real-Time Streaming Protocol (RTSP)

Session Initiation Protocol (SIP)

Skinny (or Simple) Client Control Protocol (SCCP)

Simple Mail Transfer Protocol (SMTP)


The basic syntax for the fixup command is as follows:

[no] fixup protocol [protocol] [port]

To change the default port assignment, identify the protocol and the new port number to assign. Use the no fixup protocol command to reset the application inspection entries to the default configuration. The clear fixup command removes fixup commands from the configuration you added. However, it does not remove the default fixup protocol commands.