Downloads |
Table Of Contents
A Commands
aaa
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa accounting include | exclude authen_service inbound | outbound | if_name group_tag
aaa accounting match acl_name inbound | outbound | if_name group_tag
no aaa accounting match acl_name inbound | outbound | if_name group_tag
aaa authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa authentication [include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
aaa authentication match acl_name inbound | outbound | if_name group_tag
no aaa authentication match acl_name inbound | outbound | if_name group_tag
aaa authentication [serial | enable | telnet | ssh | http] console group_tag
[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tag
aaa authorization include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_maskno aaa authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]aaa authorization match acl_name inbound | outbound | if_name group_tag
no aaa authorization match acl_name inbound | outbound | if_name group_tag
clear aaa [accounting include | exclude authen_service inbound | outbound | if_name group_tag]
clear aaa [authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
clear aaa [authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]]show aaa
Syntax Description
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
include
Create a new rule with the specified service to include.
exclude
Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.
acctg_service
The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
match acl_name
Specify an access-list command statement name.
authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server.
When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit.
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
The aaa authentication command supports HTTP authentication. The PIX Firewall requires authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the PIX Firewall.
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.)
If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization.
Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization
Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service
The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization.
For protocol/port:
•
protocol—the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on).
•
aaa authorization include udp/53-1024 inside 0 0 0 0This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
Note
inbound
Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface.
outbound
Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface.
if_name
Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip
The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.
local_mask
Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
foreign_ip
The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
serial
Access verification for the PIX Firewall unit's serial console.
enable
Access verification for the PIX Firewall unit's privilege mode.
telnet
Access verification for the Telnet access to the PIX Firewall console.
ssh
Access verification for the SSH access to the PIX Firewall console.
http
Access verification for the HTTP (Hypertext Transfer Protocol) access to the PIX Firewall (via PDM).
console
Specifies that access to the PIX Firewall console requires authentication.
group_tag
The AAA server group tag defined by the aaa-server command.
console
Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server.
The aaa authentication serial console command allows you to require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts.
Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command.
The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests a timeout, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
The maximum password length for accessing the console is 16 characters.
group_tag
The group tag set with the aaa-server command.
Usage Guidelines
The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:
•
•
•
•
For additional information, see Usage Note 17.
Note
If the AAA console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable passwordmatch acl_name Option Usage
The syntax for this command is as follows:
aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tag
An example follows:
show access-listaccess-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0)show aaaaaa authentication match mylist outbound TACACS+Similar to IPSec, the keyword permit means "yes" and deny means "no." Therefore, the following command.
aaa authentication match yourlist outbound tacacsis equal to this command:
aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacsThe aaa command statement list is order dependent between access_list command statements. If the following command is entered.
aaa authentication match yourlist outbound tacacsafter this command:
aaa authentication match mylist outbound TACACS+PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.
Old aaa command configuration and functionality stays the same and is not converted to the access_list format. Hybrid configurations; that is, old configurations combined with the new access_list configuration are not recommended.
Usage Notes
1.
2.
3.
4.
5.
a.
b.
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
c.
6.
7.
8.
a.
b.
c.
9.
aaa authentication include any outbound 0 0 serveraaa authentication exclude outbound perim_net perim_mask server10.
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
11.
To avoid interfering with these applications, do not enter blanket outgoing AAA command statements for all challenged ports such as using the any option. Be selective with which ports and addresses you use to challenge HTTP, and when to set user authentication timeouts to a higher timeout value. If interfered with, the multimedia programs may fail on the PC and may even crash the PC after establishing outgoing sessions from the inside.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
a.
b.
Previously, TACACS+ differentiated between the two preceding states and provided two different timeout messages, while RADIUS did not differentiate the two states and provided one timeout message.
22.
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows.Unable to connect to remote host: Connection timed outExamples
The following example lists the new include and exclude options:
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication include any perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the PIX Firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+.
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication include any outbound 0 0 tacacs+aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ anyThis example permits inbound access to any IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface.
aaa-server AuthIn protocol tacacs+aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-group acl_out in interface outsideaaa authentication include any inbound 0 0 AuthInThis example enables authorization for DNS lookups from the outside interface:
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.0This example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
This example enables authorization for ICMP echoes (pings) only that arrive at the inside interface from an inside host:
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0Related Commands
•
•
aaa authentication
The aaa authentication command has been modified to support PDM authentication. The PIX Firewall requires authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the PIX Firewall. (Configuration mode.)
[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tag
Syntax Description
Defaults
If an aaa authentication http console group_tag command statement is not defined, you can gain access to the PIX Firewall (via PDM) with no username and the PIX Firewall enable password (set with the password command). If the aaa command is defined but the HTTP authentication requests a time out, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using the username pix and the enable password. By default, the enable password is not set.
Usage Guidelines
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
The web browser prompts for the username and password with a pop-up window.
Examples
The following example shows use of the aaa authentication command:
pixfirewall(config) aaa authentication telnet console radiusRelated CommandsRelated Commands
•
aaa proxy-limit
Specifies the number of concurrent proxy connections allowed per user. (Configuration mode.)
aaa proxy-limit proxy_limit | disable
no aaa-server group_tag (if_name) host server_ip key timeout seconds
clear aaa-server [group_tag]
show aaa proxy-limit
Displays the number of outstanding authentication requests allowed, or indicates that the proxy limit is disabled if disabled.
Syntax Description
Usage Guidelines
The aaa proxy-limit command enables you to manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user. By default, this value is set to 3. If a source address is a proxy server, consider excluding this IP address from authentication or increasing the number of allowable outstanding AAA requests.
Examples
The following example shows how to set and display the maximum number of outstanding authentication requests allowed:
pixdoc515(config)# aaa proxy-limit 6pixdoc515(config)# show aaa proxy-limitaaa proxy-limit 6aaa-server
Specify an AAA server. (Configuration mode.)
aaa-server group_tag (if_name) host server_ip key timeout seconds
no aaa-server group_tag (if_name) host server_ip key timeout seconds
aaa-server group_tag protocol auth_protocol
aaa-server radius-acctport port
aaa-server radius-authport port
clear aaa-server [group_tag]
show aaa-server
Syntax Description
aaa-server
Specifies an AAA server or up to 14 groups of servers with a maximum of 14 servers each. Certain types of AAA services can be directed to different servers. Services can also be set up to fail over to multiple servers.
group_tag
An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server. Up to 14 server groups are permitted.
if_name
The interface name on which the server resides.
host server_ip
The IP address of the TACACS+ or RADIUS server.
key
A case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are.
timeout seconds
The timeout interval for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.
protocol auth_protocol
The type of AAA server, either tacacs+ or radius.
aaa-server radius-acctport
Sets the port number of the RADIUS server which the PIX Firewall unit will use for accounting functions. The default port number used for RADIUS accounting is 1646.
aaa-server radius-authport
Sets the port number of the RADIUS server which the PIX Firewall will use for authentication functions. The default port number used for RADIUS authentication is 1645.
port
Specifies the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions for the PIX Firewall.
These port pairs are listed as assigned to authentication and accounting services on RADIUS servers:
•
•
You can view these and other commonly used port number assignments online at the following website:
http://www.iana.org/assignments/port-numbers
See "Ports" in "Using PIX Firewall Commands" for additional information.
no aaa-server
Unbinds an AAA server from and interface or host.
show aaa-server
Displays configuration information of an AAA server in the configuration.
clear aaa-server
Removes an AAA server from the configuration.
Defaults
By default, the PIX Firewall listens for RADIUS on ports 1645 for authentication and 1646 for accounting.
Usage Guidelines
The aaa-server command allows you to specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers.
If your RADIUS server uses ports 1812 for authentication and 1813 for accounting, you are required to reconfigure the PIX Firewall to use ports 1812 and 1813.
Note
The aaa command references the tag group.
Note
If accounting is in effect, the accounting information goes only to the active server.
The default configuration provides these two aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radius
Note
If you are upgrading from a previous version of PIX Firewall and have aaa command statements in your configuration, using the default server groups allows you to maintain backward compatibility with the aaa command statements in your configuration.
Examples
1.
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
2.
aaa-server AuthIn protocol radiusaaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4aaa-server AuthOut protocol radiusaaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15aaa authentication include any inbound 0 0 0 0 AuthInaaa authentication include any outbound 0 0 0 0 AuthOut3.
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server TACACS+ host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client authentication TACACS+crypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400The aaa-server command is used with the crypto map command to establish an authentication association so that VPN clients are authenticated when they access the PIX Firewall.
Related Commands
access-group
Binds the access list to an interface. (Configuration mode.)
access-group acl_ID in interface interface_name
clear access-group [acl_ID]
no access-group acl_ID in interface interface_name
show access-group [acl_ID]
Syntax Description
acl_ID
The name associated with a given access list.
in interface
Filter on inbound packets at the given interface.
interface_name
The name of the network interface.
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message.
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_IDAlways use the access-list command with the access-group command.
Note
The no access-group command unbinds the acl_ID from the interface interface_name.
The show access-group command displays the current access list bound to the interfaces.
The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration.
Examples
The following example shows use of the access-group command:
static (inside,outside) 209.165.201.3 10.1.1.3access-list acl_out permit tcp any host 209.165.201.3 eq 80access-group acl_out in interface outsideThe static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.
access-list
Create an access list. (Configuration mode.)
access-list acl_ID [deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port
access-list acl_ID [deny | permit] icmp {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port icmp_type
no access-list acl_ID [[deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port]
clear access-list [acl_ID [deny | permit] icmp {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port icmp_type]
show access-list
Syntax Description
acl_ID
Name of an access list. You can use either a name or number.
deny
When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access.
When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.
permit
When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access.
When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements.
protocol
Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
source_addr
Address of the network or host from which the packet is being sent. Use this field when an access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command.
source_mask
Netmask bits (mask) to be applied to source_addr, if the source address is for a network mask.
local_addr
Address of the network or host local to the PIX Firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed.
local_mask
Netmask bits (mask) to be applied to local_addr, if the local address is a network mask.
destination_addr
IP address of the network or host to which the packet is being sent. Specify a destination_addr when the access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. For inbound and outbound connections, destination_addr is the address before NAT has been performed.
destination_mask
Netmask bits (mask) to be applied to destination_addr, if the destination address is a network mask.
remote_addr
IP address of the network or host remote to the PIX Firewall. specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement.
remote_mask
Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask.
operator
A comparison operand that allows you to specify a port or a port range. Use without an operator and port to indicate all ports; for example.
access-list acl_out permit tcp any host 209.165.201.1Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP.
access-list acl_out deny tcp any host 209.165.201.1 eq ftpUse lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024).
access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535.
access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535.
access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created.
port
Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535.
You can view valid port numbers online at the following website:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in "Using PIX Firewall Commands" for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
[Non-IPSec use only]—Permit or deny access to ICMP message types. Refer to Table 3-1 for a list of message types. Omit this option to mean all ICMP types.
ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored.
Usage Guidelines
The access-list command lets you specify if an IP address is permitted or denied access to a port or protocol. In this document, one or more access-list command statements with the same access list name are referred to as an "access list." Access lists associated with IPSec are known as "crypto access lists." By default, all access in an access list is denied. You must explicitly permit it.
Use the following guidelines for specifying a source, local, or destination address:
•
•
•
Use the following guidelines for specifying a network mask:
•
access-list acl_grp permit tcp any host 192.168.1.1•
•
access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224If appropriate, after you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto ipsec command statement. In addition, you can bind an access list with the RADIUS authorization feature (described in the next section).
The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.
The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.
Note
RADIUS Authorization Feature
PIX Firewall allows a RADIUS server to send user group attributes to the PIX Firewall in the RADIUS authentication response message.
The administrator first defines access lists on the PIX Firewall for each user group. For example, there could be access lists for each department in an organization, sales, marketing, engineering, and so on. The administrator then defines each access list in the group profile in CiscoSecure.
After the PIX Firewall authenticates a user, it can then use the CiscoSecure acl attribute returned by the authentication server to identify an access list for a given user group. To maintain consistency, PIX Firewall also provides the same functionality for TACACS+.
To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:
access-list eng permit ip any server1 255.255.255.255access-list eng permit ip any server2 255.255.255.255access-list eng permit ip any server3 255.255.255.255access-list eng deny ip any anyIn this example, the vendor specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The PIX Firewall gets the acl=acl_ID from CiscoSecure and extracts the ACL number from the attribute string, which it puts in a user's uauth entry. When a user tries to open a connection, PIX Firewall checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, PIX Firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny.
Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify which network services the user is permitted or denied access to. If you want to specify that only users logging in from a given subnet may use the specified services, specify the subnet instead of using any.
Note
There is not a radius option to the aaa authorization command.
Follow these steps to enable RADIUS authorization:
Step 1
Step 2
Step 3
When the PIX Firewall sends a request to the authentication server, it returns the acl=acl_ID string, which tells PIX Firewall to use the access-list command statements to determine how RADIUS users are authorized.
Usage Notes
1.
2.
3.
4.
5.
6.
7.
8.
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by a
