FNS10 Mod10

For review only.
Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights

© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—10-11
Module 10
PIX Firewall ACLs
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-2

Learning Objectives
Upon completion of this chapter, the student will be able to
perform the following tasks:
For review only. Please do not distribute

• Configure and explain the function of ACLs.

• Convert conduits to ACLs.
• Configure and explain the function of Turbo ACLs.
• Configure and explain the function of NAT 0 ACLs.
• Configure active code filtering (ActiveX and Java applets).
• Configure the PIX Firewall for URL filtering.
• Configure the PIX Firewall for long URL filtering.
• Describe the PIX Firewall’s object grouping feature and its
advantages.
• Configure object groups.
• Configure nested object groups.
• Use object groups in ACLs.
Overview
This module will focus on access lists and how

they are handled by the PIX Firewall. The first

part of this module will focus on configuring
both standard and turbo ACLs, understanding
the differences between ACLs and conduits, and
knowing how and when to use ACLs in different
network environments. Once a general
understanding of how and when to use ACLs is
discussed, the module discusses applet filtering
and URL filtering. Finally, this module will
introduce students to the concept of object
grouping, which puts ACLs into object groups
and nested object groups.
Key terms

• Java
• Active X
• URL Filtering
• Object Groups
• Nested Object Groups

Access Control Lists and the PIX

Access Control List (ACL)
• An ACL enables you to determine what traffic

will be allowed or denied through the PIX

Firewall.
• ACLs are applied per interface (traffic is
analyzed inbound relative to an interface).
• The access-list and access-group commands are
used to create an ACL.
• The access-list and access-group commands are
an alternative for the conduit command.

ACL Usage Guidelines

• Higher to lower security level:

– Use an ACL to restrict outbound traffic.
– The ACL source address is the actual
(un-translated) address of the host or network.
• Lower to higher security level:
– Use an ACL to restrict inbound traffic.
– The ACL destination address is the translated
global IP address.

access-list Command
pixfirewall(config)#

access-list acl_ID deny | permit protocol

source_addr source_mask [operator
port[port]]destination_addr destination_mask
operator port [port]
• Enables you to create an ACL.
pixfirewall(config)# access-list DMZ1 deny tcp

192.168.1.0 255.255.255.0 host 192.168.0.1 lt
1024
• Denies access from the 192.168.1.0 network to TCP ports less
than 1024 on host 192.168.0.1.

access-group Command

access-group acl_ID in interface
interface_name
• Binds an ACL to an interface.
pixfirewall(config)# access-group
DMZ1 in interface dmz
• Binds ACL DMZ1 to interface dmz.

nat 0 access-list Command

nat [(if_name)] 0 access-list acl_name

[outside]
• Enables you to exempt traffic that is matched by an
access-list command statement from NAT.
pixfirewall(config)# access-list NONAT permit

ip host 10.0.0.11 host 10.2.1.3
pixfirewall(config)# nat (inside) 0 access-
list NONAT

Turbo ACLs
Regular ACL processing Turbo ACL processing

ACL A ACL A

Compiled data table

Entry 1
Index ACL Entry Bit
Maps
Entry2
Entry 3
• Packet header value
•
Entry N •
Entry N
Entry N
• ACLs organized internally as linked • ACLs compiled into sets of

lists. lookup data tables.
• Linear search to find matching entry to • Improved search time for large
deny or permit packet. ACLs.
• Increased search time when ACL A
contains large number of elements, • Required minimum of 2.1 MB of
which leads to performance memory.
degradation.

Turbo ACL

access-list compiled
• Enables the Turbo ACL feature on all
ACLs.
• Turbo compiles all ACLs with 19 or
more entries.
access-list acl_ID compiled
• Enables the Turbo ACL feature for a
specific ACL.

Converting Conduits to ACLs

ACLs Versus Conduits


Beware of the Difference in the
Behaviors of Conduits and ACLs
• The PIX Firewall configuration
pertaining to the Partnernet

contains:
– A NAT and a global pool for
the Partnernet.
– Statics for the FTP server
and mail server.
– A conduit permitting
access to the FTP server
from the Partnernet.
– An ACL on the Partnernet
interface permitting access
to the mail server.
• The action specified for both
the conduit and the ACL is
permit, but the configuration is
not working as planned. Why?

The Incorrect Configuration
pixfirewall(config)# nat (partnernet) 1 0 0

pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254

netmask 255.255.255.0
pixfirewall(config)# static (inside,partnernet) 172.18.0.10
10.0.0.3 netmask 255.255.255.255
pixfirewall(config)# static (inside,partnernet) 172.18.0.12
10.0.0.4 netmask 255.255.255.255
pixfirewall(config)# conduit permit tcp host 172.18.0.10 eq ftp
any
pixfirewall(config)# access-list 102 permit tcp 172.18.0.0
255.255.255.0 host 172.18.0.12 eq smtp
pixfirewall(config)# access-group 102 in interface partnernet
• Due to the ACL bound to the Partnernet interface:

– Users on the Partnernet are unable to access the internal FTP server.
– Users on the Partnernet are unable to access the Internet.
– Users on the Partnernet are only able to access the internal mail server.
Convert Conduits to ACLs
conduit permit | deny protocol global_ip global_mask

operator port [port] foreign_ip foreign_mask

[operator port[port]]
access-list acl_ID deny | permit protocol source_addr
source_mask [operator port [port]] destination_addr
destination_mask operator port [port]
pixfirewall(config)# conduit permit tcp host

172.18.0.10 eq ftp 172.18.0.0 255.255.255.0
pixfirewall(config)# access-list 102 permit tcp

172.18.0.0 255.255.255.0 host 172.18.0.10 eq ftp
global_ ip = destination_addr
foreign_ip = src_addr

ACLs in Action

• Conduits are converted

to ACLs.
• The user is able to http://172.26.26.50
access the internal FTP . . . Connecting to 172.26.26.50
server and the internal
mail server.
• Although she is unable
to access hosts on the
inside network via
HTTP, she is able to
access hosts on the
Internet via HTTP.
• All other traffic
originating from the
Partnernet is denied.

The Correct Configuration
pixfirewall(config)# nat (partnernet) 1 0 0

pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask

255.255.255.0
pixfirewall(config)# static (inside,partnernet) 172.18.0.10 10.0.0.3 netmask
255.255.255.255
pixfirewall(config)# static (inside,partnernet) 172.18.0.12 10.0.0.4 netmask
255.255.255.255
pixfirewall(config)# access-list 102 permit tcp 172.18.0.0 255.255.255.0
host 172.18.0.10 eq ftp
pixfirewall(config)# access-list 102 permit tcp 172.18.0.0 255.255.255.0
host 172.16.0.12 eq smtp
Pixfirewall(config)# access-list 102 deny tcp 172.18.0.0 255.255.255.0
10.0.0.0 255.255.255.0 eq www
pixfirewall(config)# access-list 102 permit tcp 172.18.0.0 255.255.255.0 any
eq www
pixfirewall(config)# access-group 102 in interface partnernet
• Users on the Partnernet are able to access the Internet, the internal FTP server, and the
internal mail server.
Using ACLs

Deny Web Access
to the Internet

pixfirewall(config)# write terminal

...
nameif ethernet0 outside sec0
nameif ethernet1 inside sec100
access-list acl_out deny tcp any any eq www
access-list acl_out permit ip any any
access-group acl_out in interface inside
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
...
• Denies web traffic on port 80 from the inside network to the Internet.
• Permits all other IP traffic from the inside network to the Internet.
Permit Web Access to the DMZ


...
nameif ethernet2 dmz sec50
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
static (dmz,outside) 192.168.0.11 172.16.0.2
access-list acl_in_dmz permit tcp any host
192.168.0.11 eq www
access-list acl_in_dmz deny ip any any
access-group acl_in_dmz in interface outside
...
• The ACL acl_in_dmz permits web traffic on port
80 from the Internet to the DMZ web server.
• The ACL acl_in_dmz denies all other IP traffic
from the Internet.

Partner Web Access to DMZ and
DMZ Access to Internal Mail


...
nameif ethernet2 dmz sec50
nameif ethernet3 partnernet sec40
static (dmz,partnernet) 172.18.0.17 172.16.0.2
static (inside,dmz) 172.16.0.11 10.0.0.4
access-list acl_partner permit tcp 172.18.0.0
255.255.255.240 host 172.18.0.17 eq www
access-group acl_partner in interface partnernet
access-list acl_dmz_in permit tcp host 172.16.0.4
host 172.16.0.11 eq smtp
access-group acl_dmz_in in interface dmz
...
• The ACL acl_partner permits web traffic from the

partner subnet 172.18.0.0/28 to the DMZ intranet
web server.
• The ACL acl_dmz_in permits host 172.16.0.4 mail
access to 10.0.0.4.

VPN Solution—Dual DMZ
and VPN Concentrator

...
static (dmz,outside) 192.168.0.12
172.16.0.5 netmask 255.255.255.255 0
0
static (inside,dmz2) 10.0.21.0 10.0.0.0
netmask 255.255.255.0
route dmz2 10.0.21.0 255.255.255.0
172.18.0.5 1
access-list IPSEC permit tcp any host
192.168.0.12 eq 443
access-list IPSEC permit esp any host
192.168.0.12
access-list IPSEC permit udp any host
rvogt: 192.168.0.12 eq isakmp
access-group IPSEC in interface outside
WEB access list should have host 10.0.0.10 as
destination address access-list WEB permit tcp 10.0.21.32
255.255.255.224 10.0.21.0
255.255.255.0 eq www
access-group WEB in interface dmz2

icmp Command

icmp permit | deny src_addr src_mask [icmp-type]

if_name
• Enables or disables pinging to an interface.
pixfirewall(config)# icmp deny any echo-reply

outside
pixfirewall(config)# icmp permit any unreachable
outside
• All ping requests are denied at the outside interface, and all
unreachable messages are permitted at the outside interface.

Filtering

Java Applet Filtering
• Java applet filtering enables

an administrator to prevent
the downloading of Java
applets by an inside system.
• Java programs can provide a
vehicle through which an
inside system can be
invaded.
• Java applets are executable
programs that are banned
within some security
policies.

ActiveX Blocking

• ActiveX controls are applets that can be inserted

in web pages or other applications.
• ActiveX controls can provide a way for someone
to attack servers.
• The PIX Firewall can be used to block ActiveX
controls.

filter activex | java Command

filter activex | java port [-port]
local_ip mask foreign_ip mask
• Filters out ActiveX usage from outbound
packets.
• Filters out Java applets that return to the
PIX Firewall from an outbound connection.

ActiveX filter Command

• Specifies that the ActiveX blocking

applies to web traffic on port 80
from any local host and for
connections to any foreign host.
pixfirewall(config)# filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0

0.0.0.0
or
pixfirewall(config)# filter activex 80 0 0 0 0
Configure URL Filtering

pixfirewall(config)# url-server (dmz) host 172.16.0.3 timeout 10 protocol

TCP version 4
pixfirewall(config)# filter url http 0 0 0 0 allow

Designate the URL-Filtering Server
url-server [(if_name)] [vendor websense] host
local_ip [timeout seconds] [protocol TCP | UDP

version [1 | 4]]
• Designates a server that runs a Websense URL-filtering application.
url-server [(if_name)] vendor n2h2 host local_ip
[port number][timeout seconds][protocol TCP |
UDP]
• Designates a server that runs an N2H2 URL-filtering application.
pixfirewall(config)# url-server (dmz) host

172.16.0.3 protocol TCP version 4
• The URL-filtering host is on the DMZ interface at IP address
172.16.0.3. The PIX Firewall performs a username lookup and then
the URL-filtering server handles URL filtering and username
logging.
Configure the PIX Firewall to Work
with a URL-Filtering Server

filter url port[-port] | except local_ip local_mask
foreign_ip foreign_mask [allow] [proxy-block]
[longurl-truncate | longurl-deny][cgi-truncate]
• Prevents outbound users from accessing URLs that are designated
with the URL-filtering application.
pixfirewall(config)# filter url http 0 0 0 0 allow

• Tells the PIX Firewall how to filter requests.

Long URL Filtering
url-block url-size long_url_size

• Enables you to increase the maximum allowable length of a single URL.
url-block url-mempool memory_pool_size
• Enables you to configure the maximum memory available for buffering long
URLs and pending URLs.
pixfirewall(config)# url-server (inside) vendor

Websense host 10.0.0.30 timeout 5 protocol TCP version
1
pixfirewall(config)# filter url http 0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0 longurl-truncate cgi-truncate
pixfirewall(config)# url-block url-mempool 1500
pixfirewall(config)# url-block url-size 4
Object Grouping

Grouping Objects
of Similar Types

• Services
• MYSERVICES
– SMTP
– FTP
• Protocols
– UDP • MYPROTOCOLS
– IPSec
• Networks/Hosts
– Subnet 10.0.0.0/11
– 10.0.1.11 • MYCLIENTS
– 10.0.2.11

Using Object
Groups in ACLs
pixfirewall(config)# access-list ACLOUT permit tcp 10.0.0.0 255.255.255.0 host
172.26.26.50
pixfirewall(config)# access-list ACLOUT permit icmp 10.0.0.0 255.255.255.0 host
172.26.26.50

pixfirewall(config)# access-list ACLOUT permit tcp 10.0.0.0 255.255.255.0 host

172.26.26.51
pixfirewall(config)# access-list ACLOUT permit icmp 10.0.0.0 255.255.255.0 host
172.26.26.51
pixfirewall(config)# access-list ACLOUT permit tcp host 10.0.1.11 host
172.26.26.50
pixfirewall(config)# access-list ACLOUT permit icmp host 10.0.1.11 host
172.26.26.50
172.26.26.51
172.26.26.51
172.26.26.50
172.26.26.50
172.26.26.51
172.26.26.51
pixfirewall(config)# access-list ACLOUT permit object-group

MYPROTOCOLS object-group CLIENTS object-group SERVERS

Configuring and Using
Object Groups
Complete the following tasks to create object groups and

use them in your configuration:

• Task 1—Use the object-group command to enter the appropriate

subcommand mode for the type of group you want to
configure.
• Task 2—In subcommand mode, define the members of the
object group.
• Task 3—(Optional.) Use the description sub-command to
describe the object group.
• Task 4—Use the exit or quit command to return to configuration
mode.
• Task 5—(Optional.) Use the show object-group command to
verify that the object group has been configured successfully.
• Task 6—Apply the access-list command to the object group.
• Task 7—(Optional.) Use the show access-list command to
display the expanded access-list entries.
object-group Command
object-group network grp_id

• Assigns a name to a Network group and enables the Network subcommand mode.
object-group service grp_id tcp | udp | tcp-udp
• Assigns a name to a Service group and enables the Service subcommand mode.
object-group protocol grp_id
• Assigns a name to a Protocol group and enables the Protocol subcommand mode.
object-group icmp-type grp_id
• Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode.
pixfirewall(config)# object-group network CLIENTS

• Assigns the name CLIENTS to a Network group and enables the Network
subcommand mode.
Configuring Network
Object Groups
object-group network grp_id

• Assigns a name to the group and enables the Network sub-command mode.
pixfirewall(config-network)#
network-object host host_addr | host_name
• Assigns hosts to the Network object group.
pixfirewall(config-network)#
network-object net_addr netmask
• Assigns networks to the Network object group.
pixfirewall(config)# object-group network CLIENTS

pixfirewall(config-network)# network-object host 10.0.1.11
pixfirewall(config-network)# network-object 10.0.0.0
255.255.255.0
• Creates a Network object group named CLIENTS which consists of host
10.0.1.11, host 10.0.2.11, and network 10.0.0.0.
Configuring Service
Object Groups
object-group service grp_id tcp | udp | tcp-udp

• Assigns a name to a Service group and enables the Service sub-command

mode.
pixfirewall(config-service)#
port-object eq service
• Assigns a single TCP or UDP port number to the Service object group.
pixfirewall(config-service)#
port-object range begin_service end_service
• Assigns a range of TCP or UDP port numbers to the Service object group.
pixfirewall(config)# object-group service MYSERVICES tcp

pixfirewall(config-service)# port-object eq http
pixfirewall(config-service)# port-object eq ftp
• Creates a Service group named MYSERVICES, which contains HTTP and FTP.
Configuring Protocol
Object Groups
object-group protocol grp_id

• Assigns a name to a Protocol group and enables the Protocol sub-command

mode.
pixfirewall(config-protocol)#
protocol-object protocol
• Assigns a protocol to the Protocol object group.
pixfirewall(config)# object-group protocol MYPROTOCOLS

pixfirewall(config-protocol)# protocol-object icmp
pixfirewall(config-protocol)# protocol-object tcp
• Creates a Protocol group named MYPROTOCOLS, which contains ICMP and
TCP.

Configuring ICMP-Type
Object Groups
object-group icmp-type grp_id

• Assigns a name to an ICMP-Type group and enables the icmp-type

sub-command mode.
pixfirewall(config-icmp-type)#
icmp-object icmp-type
• Assigns an ICMP message type to the object group.
pixfirewall(config)# object-group icmp-type PING

pixfirewall(config-icmp-type)# icmp-object echo
pixfirewall(config-icmp-type)# icmp-object echo-reply
• Creates an ICMP-Type group named PING which contains echo and
echo-reply message types.

Nested Object Groups

Configuring Nested
Object Groups
Complete the following steps to configure nested

object groups:

• Step 1—Assign a group identity to the object group that

you want to nest within another object group.
• Step 2—Add the appropriate type of objects to the object
group.
• Step 3—Assign a group identity to the object group within
which you want to nest another object group.
• Step 4—Add the first object group to the group that will
contain it.
• Step 5—Add any other objects that are required to the
group.

group-object Command
pixfirewall(config-group-type)#

group-object object_group_id
• Nests an object group within another object group.
pixfirewall(config)# object-group service SERVICESA tcp

pixfirewall(config-service)# port-object eq smtp
pixfirewall(config-service)# port-object eq ftp
pixfirewall(config-service)# exit
pixfirewall(config)# object-group service SERVICES tcp
pixfirewall(config-service)# group-object SERVICESA

access-list Command
for Object Grouping
rvogt:
Discussion here, need to clarify slide

access-list acl_ID deny | permit object-group
protocol_obj_grp_id object-group network_obj_grp_id
[object-group service_obj_grp_id] object-group
network_obj_grp_id object-group service_obj_grp_id
• Create an access list containing object groups.
pixfirewall(config)# access-list ACLIN permit tcp

object-group REMOTECLIENTS object-group LOCALSERVERS
object-group MYSERVICES

Nested Object Group Example
pixfirewall(config)# object-group network HOSTGROUP1


pixfirewall(config-network)# exit
pixfirewall(config)# object-group network HOSTGROUP2
pixfirewall(config)# object-group network ALLHOSTS
pixfirewall(config-network)# group-object HOSTGROUP1
pixfirewall(config-network)# group-object HOSTGROUP2
pixfirewall(config)# access-list ALL permit tcp object-group
ALLHOSTS any eq ftp
pixfirewall(config)# access-group ALL in interface inside

Multiple Object Groups in ACLs
pixfirewall(config)# show static pixfirewall(config)# show object-
group
static(inside,outside)192.168.1.10 10.0.1.11 object-group network REMOTES
netmask 255.255.255.255

network-object host
static(inside,outside)192.168.1.12 10.0.1.12 172.26.26.50
netmask 255.255.255.255 network-object host
172.26.26.51
static(inside,outside)192.168.2.10 10.0.2.11
object-group network LOCALS1
netmask 255.255.255.255
network-object host
static(inside,outside)192.168.2.12 10.0.2.12 192.168.1.10
netmask 255.255.255.255 network-object host
192.168.1.12
object-group network LOCALS2
network-object host
192.168.2.10
network-object host
192.168.2.12
object-group network ALLLOCALS
group-object LOCALS1
group-object LOCALS2
object-group service BASIC
port-object eq ftp
port-object eq smtp
pixfirewall(config)# access-list
INBOUND permit tcp object-group
REMOTES object-group ALLLOCALS
object-group BASIC
Display Configured
Object Groups
show object-group [protocol | service |

icmp-type | network]
• Displays object groups in the configuration.
pixfirewall(config)# show object-group

object-group network HOSTGROUP1
network-object host 10.0.0.11
object-group network HOSTGROUP2
object-group network ALLHOSTS
group-object HOSTGROUP1
group-object HOSTGROUP2
Removing Configured
Object Groups
no object-group service grp_id tcp | udp | tcp-udp

• Removes a specific service object group.
no object-group protocol | network | icmp-type grp_id
• Removes a specific protocol, network or icmp-type object group.
clear object-group [protocol | service | icmp-type |
network]
• Removes all object groups or all object groups of a specific type.
pixfirewall(config)# no object-group network ALLHOSTS

pixfirewall(config)# clear object-group protocol
• Removes object group ALLHOSTS and all Protocol object groups.

Summary

Summary
• ACLs enable you to determine which systems can establish

connections through your PIX Firewall.

• Cisco recommends migrating from conduits to ACLs.
• Existing conduits can easily be converted to ACLs.
• Turbo ACLs improve search time for large ACLs.
• With ICMP ACLs, you can disable pinging to a PIX Firewall
interface so that your PIX Firewall cannot be detected on
your network.
• The PIX Firewall can be configured to filter malicious active
codes.
• The PIX Firewall can work with URL-filtering software to
control and monitor Internet activity.

Summary (cont.)
• You can group network objects, services,

protocols, and ICMP message types to reduce the

number of ACLs required to implement your
security policy.
• The main Object Grouping command, the
object-group command, names your object group
and enables a sub-command mode for the type of
object you specify.
• Members of an object group are defined in its
sub-command mode.
• Hierarchical object grouping enables greater
flexibility and modularity for specifying ACLs.

© 2003, Cisco Systems, Inc. All rights reserved. 56

FNS10 Mod10

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FNS10 Mod10

Hochgeladen von

Copyright:

Verfügbare Formate

For review only.

Please do not distribute

© 2003, Cisco Systems, Inc. All rights

PIX Firewall ACLs

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-2

For review only. Please do not distribute

• Configure and explain the function of ACLs.

This module will focus on access lists and how

For review only. Please do not distribute

they are handled by the PIX Firewall. The first

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-5

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-6

• An ACL enables you to determine what traffic

For review only. Please do not distribute

will be allowed or denied through the PIX

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-7

For review only. Please do not distribute

• Higher to lower security level:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-8

For review only. Please do not distribute

access-list acl_ID deny | permit protocol

pixfirewall(config)# access-list DMZ1 deny tcp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-9

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-10

For review only. Please do not distribute

nat [(if_name)] 0 access-list acl_name

pixfirewall(config)# access-list NONAT permit

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-11

Regular ACL processing Turbo ACL processing

For review only. Please do not distribute

Compiled data table

• ACLs organized internally as linked • ACLs compiled into sets of

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-12

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-13

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-14

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-15

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-16

pixfirewall(config)# nat (partnernet) 1 0 0

For review only. Please do not distribute

pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254

• Due to the ACL bound to the Partnernet interface:

For review only. Please do not distribute

operator port [port] foreign_ip foreign_mask

pixfirewall(config)# conduit permit tcp host

pixfirewall(config)# access-list 102 permit tcp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-18

For review only. Please do not distribute

• Conduits are converted

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-19

pixfirewall(config)# nat (partnernet) 1 0 0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-21

For review only. Please do not distribute

pixfirewall(config)# write terminal

For review only. Please do not distribute

pixfirewall(config)# write terminal

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—10-23