Controlling Traffic Coming In


The previous chapter introduced the use of the conduit command, which allows you to enable traffic initiated from lower security level interfaces to pass through to higher security level interfaces. Originally, the PIX firewall started with the conduit command, but Cisco has introduced the IOS-style ACL into newer PIX images. Cisco recommends doing away with the older conduit commands and prefers the newer ACL commands in their place. Before we jump into the recommended ACL commands for letting traffic in, however, let's explore the conduit command and some of its features.

The conduit Command

The conduit command makes an exception in the ASA to permit or deny specific traffic from lower security level interfaces to pass to higher security level interfaces. Figure 6.1 displays the traffic flow from the outside to the inside interface. The traffic first enters the PIX via the global IP address assigned to the outside interface. Then the conduit entries are checked to verify whether a permit match exists. If a permit match is found, the packet is forwarded to the static mapping statements where the global address is changed to the mapped inside address. Otherwise, if a deny match entry exists, or no match at all exists, the packet is dropped.

Figure 6.1. Traffic flow using a conduit.

graphics/06fig01.gif

graphics/alert_icon.gif

Be aware that the conduit command always needs to be paired with a static command. Otherwise, traffic will not be translated through the PIX.


As an example, if Peter, who is on the outside, wants to connect to Jack's computer on the inside using Telnet, the following steps must be taken:

  1. Set up a static command to create a one-to-one mapping for Jack's computer to a global outside address.

  2. Enter a conduit command to allow traffic from Peter's outside computer to connect to the global address that maps to Jack's inside computer.

Figure 6.2 shows Jack's and Peter's computers for the following command example.

Figure 6.2. Outside traffic connecting to an inside computer.

graphics/06fig02.gif

The following Listing 6.1 allows Peter's computer to connect to Jack's computer:

Listing 6.1 static and conduit Commands
 Pixfirewall(config)# static (inside, outside) 169.254.8.11 192.168.1.11 Pixfirewall(config)# Pixfirewall(config)# conduit permit tcp host 169.254.8.11 eq telnet host 10.72.7.9 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

Notice that the conduit command uses the global outside address instead of Jack's real internal address. All filters use the global address because, as traffic enters the PIX firewall, the filters take effect before the static command translates the global address to the real internal address.

graphics/alert_icon.gif

The order of the source and destination parameters for the conduit command are in reverse compared to the standard access-list command. To illustrate , the commands are ordered as follows :

conduit :

 conduit permit tcp (DESTINATION) (SOURCE) 

access-list:

 access-list 101 permit tcp (SOURCE) (DESTINATION) 

The conduit command is very easy to use, but it does have some flaws. You might not have noticed that we didn't attach this command to the outside interfaceor any interface, for that matter. This command is not defined against any single interface; it's applied to all interfaces with lower security levels. The conduit entries are also processed in the order in which you entered them into the system. So, if you entered a permit conduit command and then a deny command below it, the deny entry would never be processed; you would have to drop all the conduit entries and reenter them in the correct order.

A Basic conduit Command

Table 6.1 displays the field descriptions for the following conduit command syntax:

[View full width]
 
[View full width]
Pixfirewall(config)# [no] conduit permit deny protocol global_ip global_mask [operator graphics/ccc.gif port [port]] foreign_ip foreign_mask[operator port [port]]
Table 6.1. conduit Command Options

Option

Function

permit deny

This defines whether to allow or disallow the matching traffic.

protocol

This defines the transport protocol, such as IP, TCP, UDP, or ICMP. (You use ip to specify all the protocols.)

global_ip global_mask

This is the global address you specified in the static command that eventually maps back to the internal address.

operator port

This is a comparison operand that lets you define single or multiple ports.

port

This enables you to specify the service you want to permit or deny. For example, you can use port 80 or the text www to allow HTTP traffic.

foreign_ip foreign_mask

This is the address of the outside computer trying to go through the PIX, sometimes known as the foreign address.

Access Control Lists

The access control list commands are used in just about every Cisco product to provide controlled access across a device or to define groups of addresses. We will talk here about access lists as named or numbered sets of entries that either permit or deny access across the PIX. A single access list can contain several, if not hundreds, of entries using permit or deny statements. These entries test traffic for source and destination address and ports matches. Access lists are created in the global area and can be attached to the desired interface needing control. Because they are created in the global area, a single access list can be attached (also known as grouped ) to several interfaces simultaneously . If a change is made to the access list, all the interfaces using it are affected by that change. Figure 6.3 shows how ACLs filter the flow of traffic.

Figure 6.3. Traffic flow using access lists.

graphics/06fig03.gif

The ACL commands are similar to the commands on the Cisco IOS-based routers. They were introduced to the PIX firewall to provide more control, flexibility, and granularity and to support the standardization of Cisco commands across products. The ACL commands can perform the same functions as the conduit commands for traffic initiated on the outside needing to connect to inside computers. You can also use these commands to deny traffic you want to ensure is never allowed to enter a particular interface.

graphics/tip_icon.gif

If you are using both the access-list command and the conduit command at the same time, the access-list command is processed first. Remember: Cisco has a large preference to the ACL commands, so use them instead of conduit commands when you can.

Access list commands also are slightly different from the normal IOS commands. PIX uses a normal mask and not a wildcard mask, as IOS routers do.


Configuring the access-list command to allow traffic inside involves three main steps:

  1. Create a static mapping.

  2. Set up the access list.

  3. Attach it to the interface using the access- group command.

Working with the example in Figure 6.2, in which Peter wants to Telnet into Jack's computer, let's look at the syntax involved, only this time using an access list. The syntax to accomplish this task is similar to that of the conduit command, but the access-list (SOURCE) (DESTINATION) parameter ordering is different.

Listing 6.2 enables Peter to access Jack's computer using Telnet.

Listing 6.2 static and access-list Commands
[View full width]
 Pixfirewall(config)# static (inside, outside) 169.254.8.11 192.168.1.11 Pixfirewall(config)# access-list Let-Peter-In permit tcp host 10.72.9.7 host 169.254.8.11 graphics/ccc.gif eq telnet Pixfirewall(config)# access-group Let-Peter-In in interface outside Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

The access-list command in Listing 6.2 creates an access list called Let-Peter-In . The entry made in the list permits Telnet traffic coming from Peter (the source) to Jack's statically mapped global address (the destination). The access-group command attaches the list to the outside interface for all inbound traffic. The access-group command on the PIX can attach access lists only to the incoming traffic, not outgoing traffic as with IOS-based routers.

graphics/tip_icon.gif

If you want to add more entries to an access listfor instance, to allow three computers access to the insidejust create the entries with the same name . The list will be processed in a top-down order. These commands create a list with three entries:

 access-list 100 permit ip host 192.168.1.11 host 1.1.1.1 access-list 100 permit ip host 192.168.1.11 host 1.1.1.2 access-list 100 permit ip host 192.168.1.11 host 1.1.1.3 

Access Control List Commands

Before we show you any more examples of access lists, a review of the details of the basic commands is necessary. Table 6.2 displays a list of several commands used to view, create, and delete access lists or access groups.

Table 6.2. ACL- related Commands

Command

Description

show access-list

Displays either all the access lists or a single access list

show access-group

Displays access groups

access-list

Used to create, append, or delete an access list

access-group

Used to attach an access list to or remove it from an interface

clear access-list

Used to delete either all the access lists or a single list

clear access-group

Used to delete either all the access groups or a single group

The show access-list Command

The show commands enable you to display access list entries and their respective hit counts. The hit count feature is quite useful. As traffic that matches an access list entry travels through an interface, this small counter increments and gives you an indication of how frequently your access list entry is being used. For example, the show access-list command in Listing 6.3 displays access list 100 and reveals that the first entry has been hit seven times, the second entry has been hit only four times, and the third has never been hit.

Listing 6.3 The show access-list Command
 pixfirewall# show access-list 100 access-list 100; 3 elements access-list 100 permit ip host 192.168.1.11 host 1.1.1.1 (hitcnt=7) access-list 100 permit ip host 192.168.1.11 host 1.1.1.2 (hitcnt=4) access-list 100 permit ip host 192.168.1.11 host 1.1.1.3 (hitcnt=0) 
graphics/alert_icon.gif

If you place a deny IP any any command as the last line of an access list, it will provide a hit count for all the traffic not matching the previous entries.


The show access-group Command

The show access-group command enables you to display all the access lists that are attached in an inward direction on all interfaces.

Listing 6.4 shows that access list 100 is attached to the inbound traffic on the outside interface and access list 1 is attached to the inside interface.

Listing 6.4 The show access-group Command
 pixfirewall# show access-group access-group 100 in interface outside access-group 1 in interface inside 
graphics/alert_icon.gif

Access lists are bound to the inbound direction of an interface, not the outbound direction. If you want to control traffic leaving the outside interface, you must bind an ACL to the inbound traffic on the inside interface.


The access-list Command

The access-list command creates and deletes access lists and access list entries. An access list can have a single entry or several entries that are processed in the order in which you added them to the list; sometimes the hardest part about working with access lists is ensuring that the entries are in the order you need to provide the desired result. If you put the entries in the wrong order, you'll need to delete the entire list and start again. Note that you can delete single entries from an access list, so this feature can be a little helpful.

When access lists are created, they exist in a global area of the PIX firewall, meaning they can be attached to several interfaces simultaneously if you want. The command format for access-list commands is shown in Listing 6.5, and the access-list options are listed in Table 6.3.

Listing 6.5 access-list Command Syntax
[View full width]
 Pixfirewall(config)# [no] access-list id permitdeny protocol source_ip_address graphics/ccc.gif source_subnet_mask [operator port] destination_ip_address destination_subnet_mask graphics/ccc.gif [operator port] 
Table 6.3. access-list Command Options

Option

Function

id

This is the number or name of the access list you are creating or appending to.

permit deny

This defines whether to allow or disallow the matching traffic.

protocol

This defines the transport protocol, such as IP, TCP, UDP, or ICMP.

source_ip_address

This specifies the source IP address to detect. The keyword any can be used to specify all the source addresses, and the keyword host can be used to specify an exact address match.

operator port

This is a comparison operand that lets you define which ports will pass the acceptance criteria: eq is equals; lt is less than; and gt is greater than.

port

This allows you to specify the service you want to permit or deny. For example, you can use port 80 or the text www to allow HTTP traffic. Other keywords include http, ident, nttp, ntp, pop2, pop3, rpc, smtp, snmp, snmptrap, sqlnet, telnet, tftp , and www .

destination_ip_address

This is the destination address you are checking for. Be sure you are using the global address and not the real internal addressunless, of course, you are using the NAT 0 and bypassing translation.

In Listing 6.6, the access list named 101 is created with three entries.

Listing 6.6 Creating Three Entries in an Access List
 Pixfirewall(config)# access-list 101 permit tcp host 10.10.12.37 host 169.254.8.1 eq telnet Pixfirewall(config)# access-list 101 permit tcp host 10.10.12.27 host 169.254.8.1 eq www Pixfirewall(config)# access-list 101 deny ip any any 

Listing 6.6 creates an access list with three entries. The first entry states that traffic from source 10.10.12.37 to the destination (global) address of 169.254.8.1 port 23 ( telnet ) is permitted. The second command permits traffic from source 10.10.10.27 to the destination address of 169.254.8.1 port 80 ( www ). The last entry denies any source to any destination.

This example removes only a single entry from the access list named 101 :

 Pixfirewall(config)# no access-list 101 deny ip any any 

Using the no statement in front of the access-list command without specifying an individual entry allows you to remove the entire list from the system. The following command removes the access list named 101 :

 Pixfirewall(config)# no access-list 101 
The access-group Command

The access-group command enables you to attach and remove an access list from an interface. Access groups allow you to attach only a single ACL to the inbound direction of the interface. Attaching an ACL to the outbound direction is not an option on the PIX firewalls yet. The command format is as follows, and the command options are shown in Table 6.4:

 Pixfirewall(config)# [no] access-group <access-list> in interface <if_name> 
Table 6.4. access-group Command Options

Option

Function

access-list

This is the name or number of the access list you created, sometimes known as the ID.

in

Although this defines the direction of inbound traffic, in is in fact the only direction you can control.

interface

This is a required word that is used to specify to which interface you want the access list to be attached.

if_name

This defines the interface to which you want to attach the access list. For example, you can specify outside, inside, dmz , or whatever you've called your interface.

Here's how you use the access-group command:

 Pixfirewall(config)# Access-group Let-Peter-In in interface outside 

In the previous example, the access list named Let-Peter-In is bound to the inbound direction of the outside interface.

The following command deletes an access group binding:

 Pixfirewall(config)# No Access-group Let-Peter-In in interface outside 

The previous command removes the access list named Let-Peter-In from the outside interface. The access list itself is not deleted; only the link between the interface and the list is removed.

The clear access-list Command

The clear access-list can apply to either a single ACL or all the ACLs in your PIX. So be careful with this command! You might find yourself deleting all your ACLs and looking for that TFTP backup of your configuration you made last year (or hopefully more recently!). You can also use the no access-list command to delete a single access list. The clear access-list command's option is listed in Table 6.5, and its command format is as follows:

 Pixfirewall(config)# Clear access-list [access-list] 
Table 6.5. The clear access-list Command Option

Option

Function

[access-list]

This is the name or number of the access list you created, sometimes known as the ID.

Here's how you use the clear access-list and no access-list commands:

 Pixfirewall(config)# Clear access-list Let-Peter-In 

or

 Pixfirewall(config)# no access-list Let-Peter-In 

In the previous example, the clear command deletes the access list named Let-Peter-In . The alternative command to delete Let-Peter-In is the no access-list command.

The following demonstrates the clear access-lists command:

 Pixfirewall(config)# clear access-list 

This command removes all the access lists from the PIX firewall, so use this command with caution.

The clear access-group Command

The clear access-group command allows you to remove all access groups from your PIX firewall. If you want to delete only a single access group entry, you need to use the no access-group command. The command format is as follows:

 Pixfirewall(config)# Clear access-group 

An Access List Example

Now that you have learned about access lists, let's build a larger system using a three-pronged firewall such as the one in Figure 6.4. In this example, you will configure the entire firewall from the beginning to review the basic six commands. Then you will loosen up the firewall to allow traffic from the outside to access internal Web servers. Lastly, you'll allow Peter and Kristina to access Jack's computer via Telnet.

Figure 6.4. An access list with a three-pronged firewall.

graphics/06fig04.gif

Table 6.6 displays the basic commands needed to configure the firewall.

Table 6.6. The Six Basic Commands

Command

Description

nameif

Names the interface and sets the security levels.

interface

Defines the interface speed and duplex setting.

ip address

Sets the interface's IP address.

nat

Sets the NAT address ranges.

global

Sets the global range of addresses the NAT ID will use.

route

Sets the default route.

Listing 6.7 uses these six commands to configure the firewall shown previously in Figure 6.4.

Listing 6.7 Using the Six Basic Commands
 Pixfirewall(config)# Pixfirewall(config)# name-if e0 outside security0 Pixfirewall(config)# name-if e1 inside security100 Pixfirewall(config)# name-if e2 dmz security50 Pixfirewall(config)# Pixfirewall(config)# interface e0 10baseT Pixfirewall(config)# interface e1 10baseT Pixfirewall(config)# interface e2 10baseT Pixfirewall(config)# Pixfirewall(config)# ip address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# ip address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# ip address dmz 172.16.0.1 255.255.0.0 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 1 192.168.1.0 255.255.255.0 Pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.0.0 Pixfirewall(config)# Pixfirewall(config)# global (outside) 1 169.254.8.10-169.254.8.253 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# 

The sequence of commands in Listing 6.7 performs the following functions:

  • The name-if command defines the interface name and security levels needed for the setup.

  • The interface command sets all the interfaces to 10BASE-T.

  • The ip address command sets the interface IP addresses.

  • The first nat command allows the subnet 192.168.1.0 to be translated to an IP address in the global pool ID or 1.

  • The second nat command allows the DMZ subnet 172.16.0.0 to be translated.

  • The global command defines a range of global addresses that will be used by the nat id 1 commands.

  • The last command creates a default route to the perimeter router.

At this point, your firewall will allow traffic to pass in a single direction from higher security levels to lower security levels and the ASA will allow return traffic back through the PIX.

Now, let's allow traffic initiated from the outside to access the Web server located in the DMZ. We'll also need to allow Peter and Kristina to access Jack's computer using Telnet. The following are the three main steps you need to perform:

  1. Create a static map of the global address 169.254.8.1 to map to the internal address of the Web server, 172.16.0.5. Then, you must map the global address of 169.254.8.2 to Jack's computer.

  2. Next, you must create an access list that allows Web traffic from the outside to access the global address of 169.254.8.1. This address is mapped to the Web server. Then, you append to the access list Peter's and Kristina's addresses to allow Telnet access.

  3. Finally, you use the access group to bind the ACL to the outside interface.

Listing 6.8 displays the code used in these three steps.

Listing 6.8 Configuring Traffic to Come In
[View full width]
 Pixfirewall(config)# static (dmz, outside) 169.254.8.1 172.16.0.5 Pixfirewall(config)# static (inside, outside) 169.254.8.2 192.168.1.11 Pixfirewall(config)# Pixfirewall(config)# access-list Let-Traffic-In permit tcp any host 169.254.8.1 eq www Pixfirewall(config)# access-list Let-Traffic-In permit tcp host 10.70.1.25 host 169.254.8 graphics/ccc.gif .2 eq telnet Pixfirewall(config)# access-list Let-Traffic-In permit tcp host 10.72.7.9 host 169.254.8.2 graphics/ccc.gif eq telnet Pixfirewall(config)# Pixfirewall(config)# access-group Let-Traffic-In in interface outside Pixfirewall(config)# Pixfirewall(config)#clear xlate Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# write memory Pixfirewall(config)# 

Listing 6.8 gives you the ability to allow traffic to the Web server and traffic to Jack's computer if it's from Peter or Kristina. The ACL must be bound to the outside interface, and a static address is used to translate the traffic coming in.

graphics/alert_icon.gif

Interfaces can have only one ACL attached to them in the inbound direction.




CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net