Beruflich Dokumente
Kultur Dokumente
• Java
• Active X
• URL Filtering
• Object Groups
• Nested Object Groups
pixfirewall(config)#
pixfirewall(config)#
access-group acl_ID in interface
interface_name
• Binds an ACL to an interface.
pixfirewall(config)# access-group
DMZ1 in interface dmz
• Binds ACL DMZ1 to interface dmz.
pixfirewall(config)#
Entry2
Entry 3
• Packet header value
•
Entry N •
Entry N
Entry N
pixfirewall(config)#
access-list compiled
• Enables the Turbo ACL feature on all
ACLs.
• Turbo compiles all ACLs with 19 or
more entries.
pixfirewall(config)#
access-list acl_ID compiled
• Enables the Turbo ACL feature for a
specific ACL.
contains:
– A NAT and a global pool for
the Partnernet.
– Statics for the FTP server
and mail server.
– A conduit permitting
access to the FTP server
from the Partnernet.
– An ACL on the Partnernet
interface permitting access
to the mail server.
• The action specified for both
the conduit and the ACL is
permit, but the configuration is
not working as planned. Why?
pixfirewall(config)#
conduit permit | deny protocol global_ip global_mask
pixfirewall(config)#
access-list acl_ID deny | permit protocol source_addr
source_mask [operator port [port]] destination_addr
destination_mask operator port [port]
255.255.255.0
pixfirewall(config)# static (inside,partnernet) 172.18.0.10 10.0.0.3 netmask
255.255.255.255
pixfirewall(config)# static (inside,partnernet) 172.18.0.12 10.0.0.4 netmask
255.255.255.255
pixfirewall(config)# access-list 102 permit tcp 172.18.0.0 255.255.255.0
host 172.18.0.10 eq ftp
pixfirewall(config)# access-list 102 permit tcp 172.18.0.0 255.255.255.0
host 172.16.0.12 eq smtp
Pixfirewall(config)# access-list 102 deny tcp 172.18.0.0 255.255.255.0
10.0.0.0 255.255.255.0 eq www
pixfirewall(config)# access-list 102 permit tcp 172.18.0.0 255.255.255.0 any
eq www
pixfirewall(config)# access-group 102 in interface partnernet
• Users on the Partnernet are able to access the Internet, the internal FTP server, and the
internal mail server.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-20
Using ACLs
...
static (dmz,outside) 192.168.0.12
172.16.0.5 netmask 255.255.255.255 0
0
static (inside,dmz2) 10.0.21.0 10.0.0.0
netmask 255.255.255.0
route dmz2 10.0.21.0 255.255.255.0
172.18.0.5 1
access-list IPSEC permit tcp any host
192.168.0.12 eq 443
access-list IPSEC permit esp any host
192.168.0.12
access-list IPSEC permit udp any host
rvogt: 192.168.0.12 eq isakmp
access-group IPSEC in interface outside
WEB access list should have host 10.0.0.10 as
destination address access-list WEB permit tcp 10.0.21.32
255.255.255.224 10.0.21.0
255.255.255.0 eq www
access-group WEB in interface dmz2
pixfirewall(config)#
an administrator to prevent
the downloading of Java
applets by an inside system.
• Java programs can provide a
vehicle through which an
inside system can be
invaded.
• Java applets are executable
programs that are banned
within some security
policies.
pixfirewall(config)#
filter activex | java port [-port]
local_ip mask foreign_ip mask
• Filters out ActiveX usage from outbound
packets.
• Filters out Java applets that return to the
PIX Firewall from an outbound connection.
or
pixfirewall(config)# filter activex 80 0 0 0 0
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-31
Configure URL Filtering
version [1 | 4]]
• Designates a server that runs a Websense URL-filtering application.
pixfirewall(config)#
url-server [(if_name)] vendor n2h2 host local_ip
[port number][timeout seconds][protocol TCP |
UDP]
• Designates a server that runs an N2H2 URL-filtering application.
pixfirewall(config)#
filter url port[-port] | except local_ip local_mask
foreign_ip foreign_mask [allow] [proxy-block]
[longurl-truncate | longurl-deny][cgi-truncate]
• Prevents outbound users from accessing URLs that are designated
with the URL-filtering application.
pixfirewall(config)#
url-block url-size long_url_size
pixfirewall(config)#
url-block url-mempool memory_pool_size
• Enables you to configure the maximum memory available for buffering long
URLs and pending URLs.
• Services
• MYSERVICES
– SMTP
– FTP
• Protocols
– UDP • MYPROTOCOLS
– IPSec
• Networks/Hosts
– Subnet 10.0.0.0/11
– 10.0.1.11 • MYCLIENTS
– 10.0.2.11
• Assigns a name to a Network group and enables the Network subcommand mode.
pixfirewall(config)#
object-group service grp_id tcp | udp | tcp-udp
• Assigns a name to a Service group and enables the Service subcommand mode.
pixfirewall(config)#
object-group protocol grp_id
• Assigns a name to a Protocol group and enables the Protocol subcommand mode.
pixfirewall(config)#
object-group icmp-type grp_id
• Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode.
• Assigns a name to the group and enables the Network sub-command mode.
pixfirewall(config-network)#
network-object host host_addr | host_name
• Assigns hosts to the Network object group.
pixfirewall(config-network)#
network-object net_addr netmask
• Assigns networks to the Network object group.
pixfirewall(config-service)#
port-object eq service
• Assigns a single TCP or UDP port number to the Service object group.
pixfirewall(config-service)#
port-object range begin_service end_service
• Assigns a range of TCP or UDP port numbers to the Service object group.
pixfirewall(config)#
object-group protocol grp_id
pixfirewall(config-protocol)#
protocol-object protocol
• Assigns a protocol to the Protocol object group.
pixfirewall(config)#
object-group icmp-type grp_id
pixfirewall(config-icmp-type)#
icmp-object icmp-type
• Assigns an ICMP message type to the object group.
pixfirewall(config-group-type)#
group-object object_group_id
• Nests an object group within another object group.
pixfirewall(config)#
access-list acl_ID deny | permit object-group
protocol_obj_grp_id object-group network_obj_grp_id
[object-group service_obj_grp_id] object-group
network_obj_grp_id object-group service_obj_grp_id
• Create an access list containing object groups.
network-object host
static(inside,outside)192.168.1.12 10.0.1.12 172.26.26.50
netmask 255.255.255.255 network-object host
172.26.26.51
static(inside,outside)192.168.2.10 10.0.2.11
object-group network LOCALS1
netmask 255.255.255.255
network-object host
static(inside,outside)192.168.2.12 10.0.2.12 192.168.1.10
netmask 255.255.255.255 network-object host
192.168.1.12
object-group network LOCALS2
network-object host
192.168.2.10
network-object host
192.168.2.12
object-group network ALLLOCALS
group-object LOCALS1
group-object LOCALS2
object-group service BASIC
port-object eq ftp
port-object eq smtp
pixfirewall(config)# access-list
INBOUND permit tcp object-group
REMOTES object-group ALLLOCALS
object-group BASIC
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-50
Display Configured
Object Groups
pixfirewall(config)#
show object-group [protocol | service |
icmp-type | network]
• Displays object groups in the configuration.
pixfirewall(config)#
no object-group protocol | network | icmp-type grp_id
• Removes a specific protocol, network or icmp-type object group.
pixfirewall(config)#
clear object-group [protocol | service | icmp-type |
network]
• Removes all object groups or all object groups of a specific type.