Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: PIX Access Lists Best Practices?

PIX Access Lists Best Practices? 8 years 7 months ago #25748

  • hanzo
  • hanzo's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Are their any best practices for setting up access-lists? Below are my access-lists from the config I use on a home adsl connection.

[code:1]pix# sh access-list
access-list cached ACL log flows: total 0, denied -1 (deny-flow-max 256)
alert-interval 300
access-list outside_access_in; 8 elements
access-list outside_access_in line 1 remark Allows ping replies messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 2 permit icmp any any echo-reply log 6 interval 300 (hitcnt=7)
access-list outside_access_in line 3 remark Allows ping 'unreachable' messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 4 permit icmp any any unreachable log 6 interval 300 (hitcnt=0)
access-list outside_access_in line 5 remark Allows ping time-exceeded messages from 'outside' interface to 'inside' interface
access-list outside_access_in line 6 permit icmp any any time-exceeded log 6 interval 300 (hitcnt=0)
access-list outside_access_in line 7 remark Bit Torrent
access-list outside_access_in line 8 permit tcp any interface outside eq 21234 (hitcnt=0)
access-list outside_access_in line 9 remark Bit Torrent
access-list outside_access_in line 10 permit udp any interface outside eq 21234 (hitcnt=0)
access-list outside_access_in line 11 remark Allow ssh
access-list outside_access_in line 12 permit tcp host aaa.bbb.ccc.ddd interface outside eq ssh log 6 interval 300 (hitcnt=2)
access-list outside_access_in line 13 remark Drop any remaining packets
access-list outside_access_in line 14 deny ip any any log 6 interval 300 (hitcnt=7) [/code:1]

How do you approach setting up your access-lists?
The administrator has disabled public write access.

Re: PIX Access Lists Best Practices? 8 years 7 months ago #25782

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
hanzo,

I usually place remarks as you have to help make things easy to read after a while when you need to revisit the ACL section of the configuration :)

For me, the most critical ACL's go at the top, while the lesser critical are left for the end. When adding new ACL's, I never append them to the existing configuration as they would go right at the bottom, so I usually add them using the appropriate 'line' parameter to ensure ACLs referring to similar services are always kept together.

Hope that helps.

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup