Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: PIX Access Lists Best Practices?

PIX Access Lists Best Practices? 10 years 2 months ago #25748

  • hanzo
  • hanzo's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
  • Thank you received: 0
Are their any best practices for setting up access-lists? Below are my access-lists from the config I use on a home adsl connection.

[code:1]pix# sh access-list
access-list cached ACL log flows: total 0, denied -1 (deny-flow-max 256)
alert-interval 300
access-list outside_access_in; 8 elements
access-list outside_access_in line 1 remark Allows ping replies messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 2 permit icmp any any echo-reply log 6 interval 300 (hitcnt=7)
access-list outside_access_in line 3 remark Allows ping 'unreachable' messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 4 permit icmp any any unreachable log 6 interval 300 (hitcnt=0)
access-list outside_access_in line 5 remark Allows ping time-exceeded messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 6 permit icmp any any time-exceeded log 6 interval 300 (hitcnt=0)
access-list outside_access_in line 7 remark Bit Torrent
access-list outside_access_in line 8 permit tcp any interface outside eq 21234 (hitcnt=0)
access-list outside_access_in line 9 remark Bit Torrent
access-list outside_access_in line 10 permit udp any interface outside eq 21234 (hitcnt=0)
access-list outside_access_in line 11 remark Allow ssh
access-list outside_access_in line 12 permit tcp host aaa.bbb.ccc.ddd interface outside eq ssh log 6 interval 300 (hitcnt=2)
access-list outside_access_in line 13 remark Drop any remaining packets
access-list outside_access_in line 14 deny ip any any log 6 interval 300 (hitcnt=7) [/code:1]

How do you approach setting up your access-lists?

Please Log in to join the conversation.

Re: PIX Access Lists Best Practices? 10 years 1 month ago #25782

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 1447
  • Karma: 8
  • Thank you received: 13
hanzo,

I usually place remarks as you have to help make things easy to read after a while when you need to revisit the ACL section of the configuration :)

For me, the most critical ACL's go at the top, while the lesser critical are left for the end. When adding new ACL's, I never append them to the existing configuration as they would go right at the bottom, so I usually add them using the appropriate 'line' parameter to ensure ACLs referring to similar services are always kept together.

Hope that helps.

Cheers,

Please Log in to join the conversation.

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
  • Page:
  • 1
Time to create page: 0.142 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup