• Aucun résultat trouvé

Neither static nor nat 0 allows a connection to be instantiated from the outside network.

The static command simply identifies a host/network on the inside and permanently maps it to a global IP address. nat 0 makes the IP address visible for the outside network. An access list is required to establish a connection to the identified host/network using static or nat 0, as shown in all the previous examples.

Access Lists

An access list typically consists of multiple access list entries (ACEs) organized internally by PIX Firewall as a linked list. When a packet is subjected to access list control, the Cisco PIX Firewall searches this linked list linearly to find a matching element. The matching element is then examined to determine if the packet is to be transmitted or dropped. Access lists work on a first-match basis, so for inbound access, you must deny first and then permit after.

The general syntax of the access-list command is

access-list ID action protocol source_address s_mask s_port destination_address d_mask d_port

116 Chapter 7: Configuring Access

Table 7-2 describes the parameters for the access-list command.

The access-list command creates the rule you want. The created rule is applied by using the access-group command to the desired PIX interface. It is also important to note that unlike Cisco IOS Software access lists, which use wildcards (that is, 0.0.0.255 for a Class C address) to identify their network masks, PIX software uses a regular subnet mask (that is, 255.255.255.0 for a Class C address) when defining the network mask.

NOTE Specify only one access-group command for each interface.

The syntax for the access-group command is as follows:

access-group ID in interface interface_name Table 7-2 access-list Command Parameters

Parameter Description

ID The name or number you create to identify a group of access-list command statements, such as 101.

action permit or deny, depending on whether you want to permit or deny access to the server. By default, all inbound access is denied, so you must permit access to a specific protocol or port.

protocol tcp, udp, icmp, and so on.

source_address The host or network address of the source host or network that must access the destination_address. Use any or 0.0.0.0 to let any host access the destination_address. If you specify a single host, precede the address with host.

s_mask Netmask bits (mask) to be applied to source_address if the source address is for a network mask.

s_port Specifies the protocol port used by the source host to initiate the connection.

destination_address The host or network global address that you specified with the static command. For a host address, precede the address with host; for networks, specify the network address and the appropriate network mask.

d_mask Netmask bits (mask) to be applied to destination_address if the destination address is a network mask.

d_port The port parameter with the exact port name or number for the

destination server protocol. The port name or number is preceded by the eq (equal) parameter, such as eq http. lt, gt, and neq are also supported as qualifiers.

Configuring Inbound Access Through the PIX Firewall 117

The ID is the same identifier that was specified in the access-list command The interface_name parameter is the interface’s name.

Example 7-1 illustrates the use of the static and access-list commands to permit connec-tions from lower-security interfaces to higher-security interfaces on the PIX.

The static command statically translates 10.1.100.10 to 192.168.1.10. The access-list command permits HTTP access only to host 10.1.100.10 (translated into 192.168.1.10).

The access-group command applies the access list acl_out to the outside interface.

Figure 7-1 illustrates the use of the static and access-list commands in this example.

Figure 7-1 Use of Access Lists and Static Address Translation in a PIX Environment

To view the created access list, use the show access-list id command, where id is the access list name or number.

Access lists can also be used to control outbound access on the PIX. An outbound access list restricts users from starting outbound connections or from accessing specific desti-nation addresses or networks. By default, outbound access is permitted, so you use the deny

Example 7-2 Permitting Connections from Lower-Security Interfaces to Higher-Security Interfaces on the PIX

Pixfirewall(config)# static (inside, outside) 192.168.1.10 10.1.100.10 nnenneeettmttmmmaaaasssskkkk 222255555555....2252255555.55...222255555555..2..22255555555

Pixfirewall(config)# access-list acl_out permit tcp any host 192.168.1.10 eq www Pixfirewall (config)# access-group acl_out in interface outside

Perimeter Router

1. User sends request to IP address 192.168.1.10

3. IP address is translated from 192.168.1.10 to 10.1.100.10

2.Access list makes an exception in the ASA and

118 Chapter 7: Configuring Access

action to restrict access when using an outbound access list. Due to this fact, for outbound access lists, you must deny first and permit after.

For example, if you wanted to restrict users on the inside interface from accessing a website at address 172.16.68.20 on the outside interface, you would use the commands shown in Example 7-2.

This access list configuration lets any user start WWW connections, with the exception of 172.16.68.20.

NOTE Starting with Cisco PIX Firewall OS version 5.3, access lists are the preferred method of managing network access. The conduit command was used in earlier versions. Access lists provide improved flexibility. However, the conduit command is still supported to maintain backward compatibility with configurations written for previous PIX Firewall versions.

TurboACL

TurboACL is a feature introduced with Cisco PIX Firewall version 6.2 that improves the average search time for access control lists (ACLs) containing a large number of entries.

The search time for long ACLs is improved because this feature causes the PIX to compile tables for ACLs.

The TurboACL feature can be enabled globally on the entire PIX Firewall and then disabled for specific ACLs. It can also be enabled for only specific ACLs. Search performance improvement is seen in ACLs that have more than 19 ACEs. For ACLs that contain few ACEs, TurboACL does not improve performance. The TurboACL feature is applied only to ACLs with 19 or more entries. The implementation of TurboACL in PIX Firewall version 6.2 supports access lists with up to 16,000 access list entries.

The minimum memory required for TurboACL is 2.1 MB. Approximately 1 MB of memory is required for every 2000 ACL elements. High-end PIX Firewall models, such as the PIX 525 and PIX 535, are the most appropriate for memory-demanding TurboACL.

NOTE Because some models of Cisco PIX Firewall, such as the PIX 501, have limited memory, implementing the TurboACL feature might cause problems, such as not being able to load Cisco PIX Device Manager.

Example 7-3 Restricting Inside Users’ Access to an External Web Server on Port 80

pixfirewall(config)# access-list acl_in deny tcp any host 172.16.68.20 eq www pixfirewall(config)# access-list acl_in permit ip any any

pixfirewall(config)# access-group acl_in in interface inside

Object Grouping 119

Documents relatifs