The previous chapter introduced the use of the conduit command, which allows you to enable traffic initiated from lower security level interfaces to pass through to higher security level interfaces. Originally, the PIX firewall started with the conduit command, but Cisco has introduced the IOS-style ACL into newer PIX images. Cisco recommends doing away with the older conduit commands and prefers the newer ACL commands in their place. Before we jump into the recommended ACL commands for letting traffic in, however, let's explore the conduit command and some of its features.
The conduit Command
The conduit command makes an exception in the ASA to permit or deny specific traffic from lower security level interfaces to pass to higher security level interfaces. Figure 6.1 displays the traffic flow from the outside to the inside interface. The traffic first enters the PIX via the global IP address assigned to the outside interface. Then the conduit entries are checked to verify whether a permit match exists. If a permit match is found, the packet is forwarded to the static mapping statements where the global address is changed to the mapped inside address. Otherwise, if a deny match entry exists, or no match at all exists, the packet is dropped.
Figure 6.1. Traffic flow using a conduit.
As an example, if Peter, who is on the outside, wants to connect to Jack's computer on the inside using Telnet, the following steps must be taken:
Figure 6.2 shows Jack's and Peter's computers for the following command example.
Figure 6.2. Outside traffic connecting to an inside computer.
The following Listing 6.1 allows Peter's computer to connect to Jack's computer:
Listing 6.1 static and conduit Commands
Pixfirewall(config)# static (inside, outside) 169.254.8.11 192.168.1.11 Pixfirewall(config)# Pixfirewall(config)# conduit permit tcp host 169.254.8.11 eq telnet host 10.72.7.9 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate
Notice that the conduit command uses the global outside address instead of Jack's real internal address. All filters use the global address because, as traffic enters the PIX firewall, the filters take effect before the static command translates the global address to the real internal address.
The conduit command is very easy to use, but it does have some flaws. You might not have noticed that we didn't attach this command to the outside interfaceor any interface, for that matter. This command is not defined against any single interface; it's applied to all interfaces with lower security levels. The conduit entries are also processed in the order in which you entered them into the system. So, if you entered a permit conduit command and then a deny command below it, the deny entry would never be processed; you would have to drop all the conduit entries and reenter them in the correct order.
A Basic conduit Command
Table 6.1 displays the field descriptions for the following conduit command syntax:
[View full width]
Table 6.1. conduit Command Options
Access Control Lists
The access control list commands are used in just about every Cisco product to provide controlled access across a device or to define groups of addresses. We will talk here about access lists as named or numbered sets of entries that either permit or deny access across the PIX. A single access list can contain several, if not hundreds, of entries using permit or deny statements. These entries test traffic for source and destination address and ports matches. Access lists are created in the global area and can be attached to the desired interface needing control. Because they are created in the global area, a single access list can be attached (also known as grouped ) to several interfaces simultaneously . If a change is made to the access list, all the interfaces using it are affected by that change. Figure 6.3 shows how ACLs filter the flow of traffic.
Figure 6.3. Traffic flow using access lists.
The ACL commands are similar to the commands on the Cisco IOS-based routers. They were introduced to the PIX firewall to provide more control, flexibility, and granularity and to support the standardization of Cisco commands across products. The ACL commands can perform the same functions as the conduit commands for traffic initiated on the outside needing to connect to inside computers. You can also use these commands to deny traffic you want to ensure is never allowed to enter a particular interface.
Configuring the access-list command to allow traffic inside involves three main steps:
Working with the example in Figure 6.2, in which Peter wants to Telnet into Jack's computer, let's look at the syntax involved, only this time using an access list. The syntax to accomplish this task is similar to that of the conduit command, but the access-list (SOURCE) (DESTINATION) parameter ordering is different.
Listing 6.2 enables Peter to access Jack's computer using Telnet.
Listing 6.2 static and access-list Commands
[View full width]
Pixfirewall(config)# static (inside, outside) 169.254.8.11 192.168.1.11 Pixfirewall(config)# access-list Let-Peter-In permit tcp host 10.72.9.7 host 169.254.8.11 eq telnet Pixfirewall(config)# access-group Let-Peter-In in interface outside Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate
The access-list command in Listing 6.2 creates an access list called Let-Peter-In . The entry made in the list permits Telnet traffic coming from Peter (the source) to Jack's statically mapped global address (the destination). The access-group command attaches the list to the outside interface for all inbound traffic. The access-group command on the PIX can attach access lists only to the incoming traffic, not outgoing traffic as with IOS-based routers.
Access Control List Commands
Before we show you any more examples of access lists, a review of the details of the basic commands is necessary. Table 6.2 displays a list of several commands used to view, create, and delete access lists or access groups.
Table 6.2. ACL- related Commands
The show access-list Command
The show commands enable you to display access list entries and their respective hit counts. The hit count feature is quite useful. As traffic that matches an access list entry travels through an interface, this small counter increments and gives you an indication of how frequently your access list entry is being used. For example, the show access-list command in Listing 6.3 displays access list 100 and reveals that the first entry has been hit seven times, the second entry has been hit only four times, and the third has never been hit.
Listing 6.3 The show access-list Command
pixfirewall# show access-list 100 access-list 100; 3 elements access-list 100 permit ip host 192.168.1.11 host 184.108.40.206 (hitcnt=7) access-list 100 permit ip host 192.168.1.11 host 220.127.116.11 (hitcnt=4) access-list 100 permit ip host 192.168.1.11 host 18.104.22.168 (hitcnt=0)
The show access-group Command
The show access-group command enables you to display all the access lists that are attached in an inward direction on all interfaces.
Listing 6.4 shows that access list 100 is attached to the inbound traffic on the outside interface and access list 1 is attached to the inside interface.
Listing 6.4 The show access-group Command
pixfirewall# show access-group access-group 100 in interface outside access-group 1 in interface inside
The access-list Command
The access-list command creates and deletes access lists and access list entries. An access list can have a single entry or several entries that are processed in the order in which you added them to the list; sometimes the hardest part about working with access lists is ensuring that the entries are in the order you need to provide the desired result. If you put the entries in the wrong order, you'll need to delete the entire list and start again. Note that you can delete single entries from an access list, so this feature can be a little helpful.
When access lists are created, they exist in a global area of the PIX firewall, meaning they can be attached to several interfaces simultaneously if you want. The command format for access-list commands is shown in Listing 6.5, and the access-list options are listed in Table 6.3.
Listing 6.5 access-list Command Syntax
[View full width]
Pixfirewall(config)# [no] access-list id permitdeny protocol source_ip_address source_subnet_mask [operator port] destination_ip_address destination_subnet_mask [operator port]
Table 6.3. access-list Command Options
In Listing 6.6, the access list named 101 is created with three entries.
Listing 6.6 Creating Three Entries in an Access List
Pixfirewall(config)# access-list 101 permit tcp host 10.10.12.37 host 169.254.8.1 eq telnet Pixfirewall(config)# access-list 101 permit tcp host 10.10.12.27 host 169.254.8.1 eq www Pixfirewall(config)# access-list 101 deny ip any any
Listing 6.6 creates an access list with three entries. The first entry states that traffic from source 10.10.12.37 to the destination (global) address of 169.254.8.1 port 23 ( telnet ) is permitted. The second command permits traffic from source 10.10.10.27 to the destination address of 169.254.8.1 port 80 ( www ). The last entry denies any source to any destination.
This example removes only a single entry from the access list named 101 :
Pixfirewall(config)# no access-list 101 deny ip any any
Using the no statement in front of the access-list command without specifying an individual entry allows you to remove the entire list from the system. The following command removes the access list named 101 :
Pixfirewall(config)# no access-list 101
The access-group Command
The access-group command enables you to attach and remove an access list from an interface. Access groups allow you to attach only a single ACL to the inbound direction of the interface. Attaching an ACL to the outbound direction is not an option on the PIX firewalls yet. The command format is as follows, and the command options are shown in Table 6.4:
Pixfirewall(config)# [no] access-group <access-list> in interface <if_name>
Table 6.4. access-group Command Options
Here's how you use the access-group command:
Pixfirewall(config)# Access-group Let-Peter-In in interface outside
In the previous example, the access list named Let-Peter-In is bound to the inbound direction of the outside interface.
The following command deletes an access group binding:
Pixfirewall(config)# No Access-group Let-Peter-In in interface outside
The previous command removes the access list named Let-Peter-In from the outside interface. The access list itself is not deleted; only the link between the interface and the list is removed.
The clear access-list Command
The clear access-list can apply to either a single ACL or all the ACLs in your PIX. So be careful with this command! You might find yourself deleting all your ACLs and looking for that TFTP backup of your configuration you made last year (or hopefully more recently!). You can also use the no access-list command to delete a single access list. The clear access-list command's option is listed in Table 6.5, and its command format is as follows:
Pixfirewall(config)# Clear access-list [access-list]
Table 6.5. The clear access-list Command Option
Here's how you use the clear access-list and no access-list commands:
Pixfirewall(config)# Clear access-list Let-Peter-In
Pixfirewall(config)# no access-list Let-Peter-In
In the previous example, the clear command deletes the access list named Let-Peter-In . The alternative command to delete Let-Peter-In is the no access-list command.
The following demonstrates the clear access-lists command:
Pixfirewall(config)# clear access-list
This command removes all the access lists from the PIX firewall, so use this command with caution.
The clear access-group Command
The clear access-group command allows you to remove all access groups from your PIX firewall. If you want to delete only a single access group entry, you need to use the no access-group command. The command format is as follows:
Pixfirewall(config)# Clear access-group
An Access List Example
Now that you have learned about access lists, let's build a larger system using a three-pronged firewall such as the one in Figure 6.4. In this example, you will configure the entire firewall from the beginning to review the basic six commands. Then you will loosen up the firewall to allow traffic from the outside to access internal Web servers. Lastly, you'll allow Peter and Kristina to access Jack's computer via Telnet.
Figure 6.4. An access list with a three-pronged firewall.
Table 6.6 displays the basic commands needed to configure the firewall.
Table 6.6. The Six Basic Commands
Listing 6.7 uses these six commands to configure the firewall shown previously in Figure 6.4.
Listing 6.7 Using the Six Basic Commands
Pixfirewall(config)# Pixfirewall(config)# name-if e0 outside security0 Pixfirewall(config)# name-if e1 inside security100 Pixfirewall(config)# name-if e2 dmz security50 Pixfirewall(config)# Pixfirewall(config)# interface e0 10baseT Pixfirewall(config)# interface e1 10baseT Pixfirewall(config)# interface e2 10baseT Pixfirewall(config)# Pixfirewall(config)# ip address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# ip address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# ip address dmz 172.16.0.1 255.255.0.0 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 1 192.168.1.0 255.255.255.0 Pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.0.0 Pixfirewall(config)# Pixfirewall(config)# global (outside) 1 169.254.8.10-169.254.8.253 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)#
The sequence of commands in Listing 6.7 performs the following functions:
At this point, your firewall will allow traffic to pass in a single direction from higher security levels to lower security levels and the ASA will allow return traffic back through the PIX.
Now, let's allow traffic initiated from the outside to access the Web server located in the DMZ. We'll also need to allow Peter and Kristina to access Jack's computer using Telnet. The following are the three main steps you need to perform:
Listing 6.8 displays the code used in these three steps.
Listing 6.8 Configuring Traffic to Come In
[View full width]
Pixfirewall(config)# static (dmz, outside) 169.254.8.1 172.16.0.5 Pixfirewall(config)# static (inside, outside) 169.254.8.2 192.168.1.11 Pixfirewall(config)# Pixfirewall(config)# access-list Let-Traffic-In permit tcp any host 169.254.8.1 eq www Pixfirewall(config)# access-list Let-Traffic-In permit tcp host 10.70.1.25 host 169.254.8 .2 eq telnet Pixfirewall(config)# access-list Let-Traffic-In permit tcp host 10.72.7.9 host 169.254.8.2 eq telnet Pixfirewall(config)# Pixfirewall(config)# access-group Let-Traffic-In in interface outside Pixfirewall(config)# Pixfirewall(config)#clear xlate Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# write memory Pixfirewall(config)#
Listing 6.8 gives you the ability to allow traffic to the Web server and traffic to Jack's computer if it's from Peter or Kristina. The ACL must be bound to the outside interface, and a static address is used to translate the traffic coming in.