Firewall Wizards mailing list archives
RE: PIX Firewall IP Addresses
From: Scot Hartman <shartman () inflow com>
Date: Fri, 18 Oct 2002 11:05:03 -0600
If you decide to upgrade to the new versions of PIX code, make sure you check the release notes: http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_notes_lis t.html You should be OK on memory since the requirements for 5.2 and 6.2 are the same, but some of the older PIX (10000 and Classic) are no longer supported. If you are trying to audit/clean your rulebase, I agree with Mark that you should move to ACL format. You may be tempted to just upgrade and then try to clean up, but if you can get around it, don't. Audit the old conduits, map out the flows needed, and build again from scratch in the new format. Conduits and ACL formats can technically live together on the same box (the PIX will evaluate one and then the other) but you will drive yourself nuts. If you have any way to build a new one in parallel, take it. The conduit and ACL formats are sometimes backward from each other. The link below is for the command reference. (some of the commands aren't on the site but are in the pdf) http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer ence_chapter09186a00800eb6eb.html Scot
-----Original Message----- From: Ben Nagy [mailto:ben () iagu net] Sent: Thursday, October 17, 2002 2:15 PM To: 'Mark McCreary'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] PIX Firewall IP Addresses Good luck. First, you probably want to upgrade your PIX to the latest version (memory and flash permitting). 5.2 is not a happy version, from memory, and every PIX release contains several security fixes. Second, don't use conduits. They'll die soon (and should have already). Switch to ACLs, and then you'll also know how to do ACLs on Cisco routers as a bonus. Finally, welcome to Netmasks. Either learn to think binary, or do what I do and get used to writing out: "128 64 32 16 8 4 2 1" in big rows on scrap paper. You're looking for bit strings that have a 1 wherever you only want a fixed value for a given bit and a 0 when you don't mind any value. For example, "192.168.1.0 255.255.255.0" matches only 192.168.1.anything. In your example, you want 200-202, which means that all the bits except 2 and 1 MUST be fixed (110001??). If you allow ANY combination of the last two bits then you actually get 200 (00) 201 (01) 202 (10) and 203 (11). That's not quite right, so your rule looks like: deny x.x.x.203 255.255.255.255 - we don't want this permit x.x.x.200 255.255.255.252 - 203 has been blocked above, so this now allows just 200-202 (252 == 00000011) Two rules instead of three. Not much of an improvement, but it's a start, and it gets better the bigger your ranges are. (Sideline: IOS ACLs ONLY) For large and tricky ranges you can actually use the wilcard masks when all the '1' bits are NOT flush right (many people do not know this, for some reason) which often allows some quite spectacular, if very hard to understand, ACL compression. Fate sends you the request "permit only 192.168.1.2, .16, .18, .32, .34, .48 and .50"? Do you curse? No! You just slip one "permit 192.168.1.0 0.0.0.50" into your ruleset and wait for confused looks from the auditors. Unluckily (or luckily, maybe ;) you can't do that with PIXen. I'd recommend a cruise past www.cisco.com and casting an eye over the configuration guides. They're pretty good. Oh, and please don't forget to do a compliance test when you're done. Cheers, -- Ben Nagy Network Security Specialist Mb: +41792504687 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: firewall-wizards-admin () honor icsalabs com > [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf > Of Mark McCreary > Sent: Thursday, October 17, 2002 4:41 PM > To: firewall-wizards () honor icsalabs com > Subject: [fw-wiz] PIX Firewall IP Addresses > > > We are using a CISCO PIX firewall version 5.2(5), with both > NAT and PAT > enabled. My task is to clean-up/reduce the number of conduit > rules. I am > new at this. > > While reviewing the rules in place, I noticed many cases > where individual > rules are written for consecutive IP addresses. My question > is whether > the syntax allows for a "range" of addresses to be used in > one rule. For > example, > > Rules written to allow access from source addresses - 172.165.50.200, > 172.165.50.201, 172.165.50.202 > > Can a source address on one rule replace the 3 rules above, such as > 172.165.50.200-202 > > Thank you for any assistance. > > Regards, > > Mark McCreary > _______________________________________________ > firewall-wizards mailing list firewall-wizards () honor icsalabs com > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX Firewall IP Addresses Mark McCreary (Oct 17)
- RE: PIX Firewall IP Addresses Ben Nagy (Oct 17)
- <Possible follow-ups>
- RE: PIX Firewall IP Addresses Nigel McLellan (DSL AK) (Oct 17)
- RE: PIX Firewall IP Addresses Scot Hartman (Oct 18)