RE: PIX Firewall IP Addresses

["Ben Nagy" <ben () iagu net>]

Good luck.

First, you probably want to upgrade your PIX to the latest version
(memory and flash permitting). 5.2 is not a happy version, from memory,
and every PIX release contains several security fixes.

Second, don't use conduits. They'll die soon (and should have already).
Switch to ACLs, and then you'll also know how to do ACLs on Cisco
routers as a bonus.

Finally, welcome to Netmasks. Either learn to think binary, or do what I
do and get used to writing out:
"128 64 32 16 8 4 2 1"

in big rows on scrap paper.

You're looking for bit strings that have a 1 wherever you only want a
fixed value for a given bit and a 0 when you don't mind any value. For
example, "192.168.1.0 255.255.255.0" matches only 192.168.1.anything.

In your example, you want 200-202, which means that all the bits except
2 and 1 MUST be fixed (110001??).

If you allow ANY combination of the last two bits then you actually get
200 (00) 201 (01) 202 (10) and 203 (11).

That's not quite right, so your rule looks like:
deny x.x.x.203 255.255.255.255 - we don't want this
permit x.x.x.200 255.255.255.252 - 203 has been blocked above, so this
now allows just 200-202
(252 == 00000011)

Two rules instead of three. Not much of an improvement, but it's a
start, and it gets better the bigger your ranges are.

(Sideline: IOS ACLs ONLY) For large and tricky ranges you can actually
use the wilcard masks when all the '1' bits are NOT flush right (many
people do not know this, for some reason) which often allows some quite
spectacular, if very hard to understand, ACL compression. Fate sends you
the request "permit only 192.168.1.2, .16, .18, .32, .34, .48 and .50"?
Do you curse? No! You just slip one "permit 192.168.1.0 0.0.0.50" into
your ruleset and wait for confused looks from the auditors. Unluckily
(or luckily, maybe ;) you can't do that with PIXen. 

I'd recommend a cruise past www.cisco.com and casting an eye over the
configuration guides. They're pretty good.

Oh, and please don't forget to do a compliance test when you're done.

Cheers,

--
Ben Nagy
Network Security Specialist
Mb: +41792504687  PGP Key ID: 0x1A86E304 


> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Mark McCreary
> Sent: Thursday, October 17, 2002 4:41 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] PIX Firewall IP Addresses
>
>
> We are using a CISCO PIX firewall version 5.2(5), with both 
> NAT and PAT 
> enabled.  My task is to clean-up/reduce the number of conduit 
> rules.  I am 
> new at this. 
>
> While reviewing the rules in place, I noticed many cases 
> where individual 
> rules are written for consecutive IP addresses.  My question 
> is whether 
> the syntax allows for a "range" of addresses to be used in 
> one rule.  For 
> example,
>
> Rules written to allow access from source addresses - 172.165.50.200, 
> 172.165.50.201, 172.165.50.202
>
> Can a source address on one rule replace the 3 rules above, such as 
> 172.165.50.200-202
>
> Thank you for any assistance.
>
> Regards,
>
> Mark McCreary
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards