|
|
This chapter provides detailed descriptions on most of the PIX Firewall commands.
 |
Note The IPSec-related commands are described in the "Command Reference" chapter of the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2. |
Before reading the PIX Firewall "Command Reference" chapter, read the following:
The following notes can help you as you configure the PIX Firewall:
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag Syntax Description
accounting | Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server. |
include | Create a new rule with the specified service to include. |
exclude | Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts. |
acctg_service | The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form. For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used. |
match acl_name | Specify an access-list command statement name. |
authentication | Enable or disable user authentication, prompt user for username and password, and verify information with authentication server. When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit. Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server. |
authen_service | The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.) If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization. Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another. |
authorization | Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access. |
author_service | The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization. For protocol/port:
aaa authorization include udp/53-1024 inside 0 0 0 0 This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024. Note Specifying a port range may produce unexpected results at the authorization server. PIX Firewall sends the port range to the server as a string with the expectation that the server will parse it out into specific ports. Not all servers do this. In addition, you may want users to be authorized on specific services, which will not occur if a range is accepted. |
inbound | Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface. |
outbound | Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface. |
if_name | Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command. |
local_ip | The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated. |
local_mask | Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. |
foreign_ip | The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts. |
foreign_mask | Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. |
console | Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server. The aaa authentication serial console command lets you require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console. Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts. Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command. The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement. Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests a timeout, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password. The maximum password length for accessing the console is 16 characters. |
group_tag | The group tag set with the aaa-server command. |
Usage Guidelines
The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:
|
Note RADIUS authorization is supported with the use of access-list command statement and configuring a RADIUS server to send an acl=acl_name vendor-specific identifier. Refer to the access-list command page for more information. |
|
Note PIX Firewall listens for RADIUS on ports 1645 and 1646. If your RADIUS server uses ports 1812 and 1813, you will need to reconfigure it to use ports 1645 and 1646. |
|
Note If the AAA console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password. |
match acl_name Option Usage
The syntax for this command is as follows:
aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tagAn example is as follows:
show access-list access-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0) show aaa aaa authentication match mylist outbound TACACS+
Similar to IPSec, the keyword permit means "yes" and deny means "no." Therefore, the following command:
aaa authentication match yourlist outbound tacacs
is equal to this command:
aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs
The aaa command statement list is order dependent between access_list command statements. If the following command is entered:
aaa authentication match yourlist outbound tacacs
after this command:
aaa authentication match mylist outbound TACACS+
PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.
Old aaa command configuration and functionality stays the same and is not converted to the access_list format. Hybrid configurations; that is, old configurations combined with the new access_list configuration are not recommended.
Usage Notes
1. The maximum username prompt for HTTP authentication is 30 characters. The maximum password length is 15 characters.
2. The aaa command is not intended to mandate your security policy. The authentication and authorization servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The PIX Firewall interacts with FTP, HTTP (Web access), and Telnet to display the credentials prompts for logging in to the network or logging in to exit the network. You can specify that only a single service be authenticated, but this must agree with the authentication server to ensure that both the firewall and server agree.
3. Accounting information is only sent to the active server in a server group.
4. The new include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
5. The prompts users see requesting AAA credentials differ between the three services that can access the PIX Firewall for authentication: Telnet, FTP, and HTTP (Web):
a. Telnet users see a prompt generated by the PIX Firewall that you can change with the auth-prompt command. The PIX Firewall permits a user up to four chances to log in and then if the username or password still fails, the PIX Firewall drops the connection.
b. FTP users receive a prompt from the FTP program. If a user enters an incorrect password, the connection is dropped immediately. If the username or password on the authentication database differs from the username or password on the remote host to which you are using FTP to access, enter the username and password in these formats:
authentication_user_name@remote_system_user_name authentication_password@remote_system_password
c. HTTP users see a pop-up window generated by the browser itself. If a user enters an incorrect password, the user is reprompted. When the web server and the authentication server are on different hosts, use the virtual command to get the correct authentication behavior.
6. Use of the aaa authorization command requires previous use of the aaa authentication command; however, use of the aaa authentication command does not require use of an aaa authorization command.
7. If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.
8. Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication console command:
a. enable option—Allows three tries before stopping with "Access denied." The enable option requests a username and password before accessing privileged mode for serial or Telnet connections.
b. serial option—Causes the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection.
c. telnet option—Causes the user to be prompted continually until successfully logging in. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection.
9. You can specify an interface name with aaa authentication. In previous versions, if you specified aaa authentication include any outbound 0 0 server, PIX Firewall only authenticated outbound connections and not those to the perimeter interface. PIX Firewall now authenticates any outbound connection to the outside as well as to hosts on the perimeter interface. To preserve the behavior of previous versions, use these commands to enable authentication and to disable authentication from the inside to the perimeter interface:
aaa authentication include any outbound 0 0 server
aaa authentication exclude outbound perim_net perim_mask server
10. When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials.
11. Multimedia applications such as CU-SeeMe, InternetPhone, MeetingPoint, and MS Netmeeting silently start the HTTP service before an H.323 session is established from the inside to the outside.
12. For outbound connections, first use the nat command to determine which IP addresses can access the firewall. For inbound connections, first use the static and access-list command statements to determine which inside IP addresses can be accessed through the firewall from the outside network.
13. When a host is configured for authentication, all users on the host have to use a web browser or Telnet first before performing any other networking activity, such as accessing mail or a news reader. The reason for this is that users must first establish their authentication credentials and programs such as mail agents and newsreaders do not have authentication challenge prompts.
14. The PIX Firewall only accepts 7-bit characters during authentication. After authentication, the client and server can negotiate for 8-bits if required. During authentication, the PIX Firewall only negotiates Go-Ahead, Echo, and NVT (network virtual terminal).
15. Up to 256 TACACS+ or RADIUS servers are permitted (up to 16 servers in each of the up to 16 server groups—set with the aaa-server command). When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
16. For each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections. Also, for an IP address, one aaa authorization command is permitted. If you want to authorize more than one service with aaa authorization, use the any parameter for the service type.
17. The PIX Firewall permits only one authentication type per network. For example, if one network connects through the PIX Firewall using TACACS+ for authentication, another network connecting through the PIX Firewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.
18. For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.
19. Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.
20. PIX Firewall supports authentication usernames up to 127 characters and passwords of up to 63 characters. A password or username may not contain an at (@) character as part of the password or username string, except as shown in Note 5.
21. The PIX Firewall displays the same timeout message for both RADIUS and TACACS+. The message "aaa server host machine not responding" displays when either of the following occurs:
a. The AAA server system is down.
b. The AAA server system is up, but the service is not running.
22. If the first attempt at authorization fails and a second attempt causes a timeout, use the
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows:
Unable to connect to remote host: Connection timed out
See also: aaa-server, auth-prompt, service, ssh, telnet , virtual.
1. The following example lists the new include and exclude options:
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+ aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+
2. The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+
aaa authentication include any perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+
3. This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+:
nat (inside) 1 10.0.0.0 255.255.255.0 aaa authentication include any outbound 0 0 tacacs+ aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ any
4. This example permits inbound access to any IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface:
aaa-server AuthIn protocol tacacs+ aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20 static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224 access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224 access-group acl_out in interface outside aaa authentication include any inbound 0 0 AuthIn
5. This example enables authorization for DNS lookups from the outside interface:
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.0
6. This example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0
7. This example enables authorization for ICMP echoes (pings) only that arrive at the inside interface from an inside host:
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0
Specify an AAA server. (Configuration mode.)
aaa-server group_tag (if_name) host server_ip key timeout seconds Syntax Description
group_tag | An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server. |
if_name | The interface name on which the server resides. |
host server_ip | The IP address of the TACACS+ or RADIUS server. |
key | |
timeout seconds | A retransmit timer that specifies the duration that the PIX Firewall retries access four times to the AAA server before choosing the next AAA server. The default is 5 seconds. The maximum time is 30 seconds. For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected. |
protocol auth_protocol | The type of AAA server, either tacacs+ or radius. |
Usage Guidelines
The aaa-server command lets you specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server group are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers.
The aaa command references the tag group.
|
Note The previous server type option at the end of the aaa authentication and aaa accounting commands has been replaced with the aaa-server group tag. Backward compatibility with previous versions is maintained by the inclusion of two default protocols for TACACS+ and RADIUS. |
If accounting is in effect, the accounting information goes only to the active server.
The default configuration provides these two aaa-server protocols:
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius
|
Note If you are upgrading from a previous version of PIX Firewall and have aaa command statements in your configuration, using the default server groups lets you maintain backward compatibility with the aaa command statements in your configuration. |
Examples
1. This example uses the default protocol tacacs+ with the aaa commands:
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20 aaa authentication include any outbound 0 0 0 0 TACACS+ aaa authorization include any outbound 0 0 0 0 aaa accounting include any outbound 0 0 0 0 TACACS+ aaa authentication serial console TACACS+
2. This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers in the AuthIn group authenticate inbound connections, the AuthOut group authenticates outbound connections:
aaa-server AuthIn protocol radius aaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20 aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4 aaa-server AuthOut protocol radius aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15 aaa authentication include any inbound 0 0 0 0 AuthIn aaa authentication include any outbound 0 0 0 0 AuthOut
3. This example lists the commands that can be used to establish an Xauth crypto map:
ip address inside 10.0.0.1 255.255.255.0 ip address outside 168.20.1.5 255.255.255.0 ip local pool dealer 10.1.2.1-10.1.2.254 nat (inside) 0 access-list 80 aaa-server TACACS+ host 10.0.0.2 secret123 crypto ipsec transform-set pc esp-des esp-md5-hmac crypto dynamic-map cisco 4 set transform-set pc crypto map partner-map 20 ipsec-isakmp dynamic cisco crypto map partner-map client configuration address initiate crypto map partner-map client authentication TACACS+ crypto map partner-map interface outside isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool local dealer outside isakmp policy 8 authentication pre-share isakmp policy 8 encryption des isakmp policy 8 hash md5 isakmp policy 8 group 1 isakmp policy 8 lifetime 86400
Binds the access list to an interface. (Configuration mode.)
access-group acl_ID in interface interface_name Syntax Description
acl_ID | The name associated with a given access list. |
in interface | Filter on inbound packets at the given interface. |
interface_name | The name of the network interface. |
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message:
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID
Always use the access-list command with the access-group command.
|
Note The use of access-group command overrides the conduit and outbound command statements for the specified interface_name. |
The no access-group command unbinds the acl_ID from the interface interface_name.
The show access-group command displays the current access list bound to the interfaces.
The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration.
Examples
The following example shows use of the access-group command:
static (inside,outside) 209.165.201.3 10.1.1.3 access-list acl_out permit tcp any host 209.165.201.3 eq 80 access-group acl_out in interface outside
The static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.
Create an access list. (Configuration mode.)
access-list acl_ID [deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port |
Caution Entering the clear access-list command will clear the access-group command statement from your configuration. If you enter the clear access-list command, you will need to rebind the access list with a new access group command statement. |
Syntax Description
acl_ID | Name of an access list. You can use either a name or number. |
deny | When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access. When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic. |
permit | When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access. When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements. |
protocol | Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. |
source_addr | Address of the network or host from which the packet is being sent. Use this field when an access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. |
source_mask | Netmask bits (mask) to be applied to source_addr, if the source address is for a network mask. |
local_addr | Address of the network or host local to the PIX Firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed. |
local_mask | Netmask bits (mask) to be applied to local_addr, if the local address is a network mask. |
destination_addr | IP address of the network or host to which the packet is being sent. Specify a destination_addr when the access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. For inbound connections, destination_addr is the address after NAT has been performed. For outbound connections, destination_addr is the address before NAT has been performed. |
destination_mask | Netmask bits (mask) to be applied to destination_addr, if the destination address is a network mask. |
remote_addr | IP address of the network or host remote to the PIX Firewall. specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. |
remote_mask | Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask |
operator | A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports; for example: access-list acl_out permit tcp any host 209.165.201.1 Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP: access-list acl_out deny tcp any host 209.165.201.1 eq ftp Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024): access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025 Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535: access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42 Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535: access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10 |
operator (continued) | Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created. access-list acl_dmz1 deny tcp any host 192.168.1.4 range ftp telnet |
port
| Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can view valid port numbers online at the following site: http://www.isi.edu/in-notes/iana/assignments/port-numbers See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers. |
icmp_type | [Non-IPSec use only]—Permit or deny access to ICMP message types. Refer to Table 5-1 for a list of message types. Omit this option to mean all ICMP types. ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored. |
Usage Guidelines
The access-list command lets you specify if an IP address is permitted or denied access to a port or protocol. In this document, one or more access-list command statements with the same access list name are referred to as an "access list." Access lists associated with IPSec are known as "crypto access lists." By default, all access in an access list is denied. You must explicitly permit it.
Use the following guidelines for specifying a source, local, or destination address:
Use the following guidelines for specifying a network mask:
access-list acl_grp permit tcp any host 192.168.1.1
access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224
If appropriate, after you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto map command statement. In addition, you can bind an access list with the RADIUS authorization feature (described in the next section). Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto command.
The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.
The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.
|
Note The aaa, crypto map, and icmp commands make use of the access-list command statements. |
PIX Firewall allows a RADIUS server to send user group attributes to the PIX Firewall in the RADIUS authentication response message.
The administrator first defines access lists on the PIX Firewall for each user group. For example, there could be access lists for each department in an organization, sales, marketing, engineering, and so on. The administrator then defines each access list in the group profile in CiscoSecure.
After the PIX Firewall authenticates a user, it can then use the CiscoSecure acl attribute returned by the authentication server to identify an access list for a given user group. To maintain consistency, PIX Firewall also provides the same functionality for TACACS+.
To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:
access-list eng permit ip any server1 255.255.255.255 access-list eng permit ip any server2 255.255.255.255 access-list eng permit ip any server3 255.255.255.255 access-list eng deny ip any any
In this example, the vendor specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The PIX Firewall gets the acl=acl_ID from CiscoSecure and extracts the ACL number from the attribute string, which it puts in a user's uauth entry. When a user tries to open a connection, PIX Firewall checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, PIX Firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny.
Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify which network services the user is permitted or denied access to. If you want to specify that only users logging in from a given subnet may use the specified services, specify the subnet instead of using any.
|
Note An access list used for RADIUS authorization does not require an access-group command to bind the statements to an interface. |
There is not a radius option to the aaa authorization command.
Follow these steps to enable RADIUS authorization:
Step 2 Create the access-list command statements to specify what services hosts are authorized to use with RADIUS.
Step 3 Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID.
When the PIX Firewall sends a request to the authentication server, it returns the acl=acl_ID string, which tells PIX Firewall to use the access-list command statements to determine how RADIUS users are authorized.
Usage Notes
1. The clear access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map command statements referencing the access list are incomplete. To correct the condition, either define other access-list command statements to complete the crypto map command statements or remove the crypto map command statements that pertain to the access-list command statement. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto map command.
2. The access-list command operates on a first match basis.
3. If you specify an access-list command statement and bind it to an interface with the access-group command statement, by default, all traffic inbound to that interface is denied. You must explicitly permit traffic. Note that "inbound" in this context means traffic passing through the interface, rather than the more typical PIX Firewall usage of inbound meaning traffic passing from a lower security level interface to a higher security level interface.
4. Always permit access first and then deny access afterward. If the host entries match, then use a permit statement, otherwise use the default deny statement. You only need to specify additional deny statements if you need to deny specific hosts and permit everyone else.
5. You can view security levels for interfaces with the show nameif command.
6. The ICMP message type (icmp_type) option is ignored in IPSec applications because the message type cannot be negotiated with ISAKMP.
7. Only one access list can be bound to an interface using the access-group command.
8. If you specify the permit option in the access list, the PIX Firewall continues to process the packet. If you specify the deny option in the access list, PIX Firewall discards the packet and generates the following syslog message:
%PIX-4-106019: IP packet fromsource_addrtodestination_addr, protocol protocol received from interfaceinterface_namedeny by access-groupacl_ID
9. The access-list command uses the same syntax as the Cisco IOS software access-list command except that PIX Firewall uses a subnet mask, whereas Cisco IOS software uses a wildcard mask. (In Cisco IOS software, the mask in this example would be specified with the 0.0.0.255 value.) For example, in the Cisco IOS software access-list command, a subnet mask of 0.0.0.255 would be specified as 255.0.0.0 in the PIX Firewall access-list command.
10. Cisco recommends that you do not use the access-list command with the conduit and outbound commands. While using these commands together will work, the way in which these commands operate may cause debugging issues because the conduit and outbound commands operate from one interface to another whereas the access-list command used with the access-group command applies only to a single interface. If these commands must be used together, PIX Firewall evaluates the access-list command before checking the conduit and outbound commands.
11. Refer to "Step 13Add Inbound Server Access" and "Step 14Add Outbound Access Lists" in "Configuring the PIX Firewall," for a detailed description about using the access-list command to provide server access and to restrict outbound user access.
ICMP Message Types
[Non-IPSec use only]—If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 5-1 lists possible ICMP types values.
| ICMP Type | Literal |
|---|---|
0 | |
3 | |
4 | |
5 | |
6 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
31 | |
32 |
If you specify an ICMP message type for use with IPSec, PIX Firewall ignores it. For example:
access-list 10 permit icmp any any echo-reply
And IPSec is enabled such that a crypto map command references the acl_name for this access-list command, then the echo-reply ICMP message type is ignored.
Using the access-list Command with IPSec
If an access list is bound to an interface with the access-group command, the access list selects which traffic can traverse the PIX Firewall. When bound to a crypto map command statement, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto command.
The access lists themselves are not specific to IPSec. It is the crypto map command statement referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.
Crypto access lists associated with the IPSec crypto map command statement have these primary functions:
You can associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.
Cisco recommends that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword. See the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for more information.
If you configure multiple statements for a given crypto access list, in general, the first permit statement matched, will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement.
Some services such as FTP require two access-list command statements, one for port 10 and another for port 21, to properly encrypt FTP traffic.
Examples
The following example creates a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command statement, PIX Firewall encrypts all IP traffic that is exchanged between the source and destination subnets.
access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0 access-group 101 in interface outside crypto map mymap 10 match address 101 [other crypto map commands]
The next example only lets an ICMP message type of echo-reply be permitted into the outside interface:
access-list acl_out permit icmp any any echo-reply access-group acl_out interface outside
Administer overlapping addresses with dual NAT. (Configuration mode.)
alias [(if_name)] dnat_ip foreign_ip [netmask] Syntax Description
if_name | The internal network interface name in which the foreign_ip overlaps. |
dnat_ip | An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network. |
foreign_ip | IP address on the external network that has the same address as a host on the internal network. |
netmask | Network mask applied to both IP addresses. Use 255.255.255.255 for host masks. |
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.
|
Note You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies. |
|
Note If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement. |
After changing or removing an alias command statement, use the clear xlate command.
There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses which can be summarized in the following ways of reading an alias command statement:
The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration. The clear alias command removed all alias commands from the configuration.
The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
|
Note ActiveX blocking does not occur when users access an IP address referenced by the alias command. ActiveX blocking is set with the filter activex command. |
Usage Notes
To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note:
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255 static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255 access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data access-group acl_out in interface outside
An alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.
Examples
1. In this example, the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the firewall because the client thinks 209.165.201.29 is on the local inside network. To correct this, a net alias is created as follows with the alias command:
alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224 show alias alias 192.168.201.0 205.165.201.0 255.255.255.224
2. In the next example, a web server is on the inside at 10.1.1.11 and a static for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:
www.example.com. |
| IN |
| A |
| 209.165.201.11 |
alias 10.1.1.11 209.165.201.11 255.255.255.255
static (inside,outside) 209.165.201.11 10.1.1.11
access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnet
access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7
nslookup -type=any www.example.com
Change or view the ARP cache, and set the timeout value. (Configuration mode.)
arp if_name ip_address mac_address [alias] Syntax Description
if_name | The internal or external interface name specified by the nameif command. |
ip_address | Host IP address for the ARP table entry. |
mac_address | Hardware MAC address for the ARP table entry; for example, 00e0.1e4e.3d8b. |
alias | Make this entry permanent. Alias entries do not time out and are automatically stored in the configuration when you use the write command to store the configuration. |
seconds | Duration that an ARP entry can exist in the ARP table before being cleared. |
Usage Guidelines
The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.
|
Note You can use the sysopt noproxyarp command to disable proxy-arps on an interface. |
Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).
The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.
Examples
The following examples illustrate use of the arp and arp timeout commands:
arp inside 192.168.0.42 00e0.1e4e.2a7c
arp outside 192.168.0.43 00e0.1e4e.3d8b alias
show arp
Change the AAA challenge text. (Configuration mode.)
auth-prompt [accept | reject | prompt] string Syntax Description
accept | If a user authentication via Telnet is accepted, display the prompt string. |
reject | If a user authentication via Telnet is rejected, display the prompt string. |
prompt | The AAA challenge prompt string follows this keyword. This keyword is optional for backward compatibility. |
string | A string of up to 235 alphanumeric characters. Special characters should not be used; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.) |
Usage Guidelines
The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication, HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.
If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.
|
Note Microsoft Internet Explorer only displays up to 37 characters in an authentication prompt. Netscape Navigator displays up to 120 characters, and Telnet and FTP display up to 235 characters in an authentication prompt. |
Examples
The following example shows how to set the authentication prompt and how users view the prompt:
auth-prompt XYZ Company Firewall Access
After this string is added to the configuration, users view:
XYZ Company Firewall Access User Name: Password:
The prompt keyword can be included or omitted. For example:
auth-prompt prompt Hello There!
This command statement is the same as the following:
auth-prompt Hello There!
Remove commands from the configuration or reset command values (All modes.)
Table 5-2, Table 5-3, and Table 5-4 list each mode in which the clear commands first appear. Each clear command listed in one mode can be also accessed in each subsequent more secure mode going from unprivileged to configuration mode, but not from less secure modes.
|
Note For IPSec clear commands, refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2. |
| Clear Command | Description | Described on Command Page |
|---|---|---|
clear pager | Resets the number of displayed lines to 24. |
| Clear Command | Description | Described on Command Page |
|---|---|---|
clear arp | Clears the ARP table. | |
clear auth-prompt | Removes an auth-prompt command statement from the configuration. | |
clear blocks | Resets the show blocks command statement counters. | |
clear configure | Resets command parameters in the configuration to their default values. | |
clear flashfs | Clears Flash memory prior to downgrading the PIX Firewall software version. | |
clear local-host | Resets the information displayed for the show local-host command. | |
clear passwd | Resets the Telnet password back to "cisco." | |
clear traffic | Resets the counters for the show traffic command. | |
clear uauth | Deletes one user's or all users' AAA authorization caches, which forces the user or users to reauthenticate the next time they create a connection. | |
clear xlate | Clears the contents of the translation slots. |
| Clear Command | Description | Described on Command Page |
|---|---|---|
clear aaa | Remove aaa command statements from the configuration | |
clear access-list | Remove access-list command statements from the configuration. This command also stops all traffic through the PIX Firewall on the affected access-list command statements. | |
clear access-group | Removes access-group command statements from the configuration. | |
clear alias | Removes alias command statements from the configuration. | |
clear apply | Removes apply command statements from the configuration. | |
clear conduit | Removes conduit command statements from the configuration. | |
clear dhcpd | Removes dhcpd command statements from the configuration. | |
clear established | Removes established command statements from the configuration. | |
clear filter | Removes filter command statements from the configuration. | |
clear fixup | Resets fixup protocol command statements to their default values. | |
clear flashfs | Clears Flash memory before downgrading to a previous PIX Firewall version | |
clear global | Removes global command statements from the configuration. | |
clear icmp | Removes icmp command statements from the configuration. | |
clear ip | Sets all PIX Firewall interface IP addresses to 127.0.0.1 and stops all traffic. | |
clear interface | Clear counters for the show interface command. | |
clear logging | Clear syslog message queue accumulated by the logging buffered command. | |
clear names | Removes name command statements from the configuration. | |
clear nameif | Reverts nameif command statements to default interface names and security levels. | |
clear nat | Removes nat command statements from the configuration. | |
clear outbound | Removes outbound command statements from the configuration. | |
clear rip | Removes rip command statements from the configuration. | |
clear route | Removes route command statements from the configuration that do not contain the CONNECT keyword. | |
clear snmp-server | Removes snmp-server command statements from the configuration. | |
clear ssh | Removes ssh command statement from the configuration. | |
clear static | Removes static command statements from the configuration. | |
clear sysopt | Removes sysopt command statements from the configuration. | |
clear telnet | Removes telnet command statements from the configuration. | |
clear tftp-server | Removes tftp-server command statements from the configuration. | |
clear timeout | Resets timeout command durations to their default values. | |
clear url-cache | Removes url-cache command statements from the configuration. | |
clear url-server | Removes url-server command statements from the configuration. | |
clear virtual | Removes virtual command statements from the configuration. | |
clear vpdn | Removes vpdn command statements from the configuration. |
Set the PIX Firewall clock for use with the PIX Firewall Syslog Server and the Public Key Infrastructure (PKI) protocol. (Configuration mode.)
clock Syntax Description
hh:mm:ss | The current hour:minutes:seconds expressed in 24-hour time; for example, 20:54:00 for 8:54 pm. Zeros can be entered as a single digit; for example, 21:0:0. |
month | The current month expressed as the first three characters of the month; for example, apr for April. |
day | The current day of the month; for example, 1. |
year | The current year expressed as four digits; for example, 2000. |
Usage Guidelines
The clock command lets you specify the current time, month, day, and year for use time stamped syslog messages, which you can enable with the logging timestamp command. You can view the current time with the clock or the show clock command.
|
Note The lifetime of a certificate and the Certificate Revocation List (CRL) is checked in GMT. If you are using IPSec with certificates, set the PIX Firewall clock to GMT timezone to ensure that CRL checking works correctly. |
You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000.
A time prior to January 1, 1998 or after December 31, 2097 will not be accepted (the maximum date that the clock command can work to).
While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years.
The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall unit's motherboard. Should this battery fail, contact Cisco's customer support for a replacement PIX Firewall unit.
Cisco's PKI (Public Key Infrastructure) protocol uses the clock to make sure that a Certificate Revocation List (CRL) is not expired. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of IPSec concepts.
Examples
To enable PFSS time-stamp logging for the first time, use these commands:
clock set 21:0:0 apr 1 2000 show clock 21:00:05 Apr 01 2000 logging host 209.165.201.3 logging timestamp logging trap 5
In this example, the clock command sets the clock to 9 pm on April 1, 2000. The logging host command specifies that a syslog server is at IP address 209.165.201.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap 5 command in this example specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.
Add, delete, or show conduits through the PIX Firewall for incoming connections. (Configuration mode.)
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]] Syntax Description
permit | Permit access if the conditions are matched. |
deny | Deny access if the conditions are matched. |
protocol | Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at the following site: http://www.isi.edu/in-notes/iana/assignments/protocol-numbers If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See the Usage Guidelines for a complete list of the ICMP types. |
global_ip | A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses. If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example: conduit permit tcp host 209.165.201.1 eq ftp any This example lets any foreign host access global address 209.165.201.1 for FTP. |
global_mask | Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip. |
foreign_ip | An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option. If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example: conduit permit tcp any eq ftp host 209.165.201.2 This example lets foreign host 209.165.201.2 access any global address for FTP. |
foreign_mask | Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting, for example, 255.255.255.192. |
operator | A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports; for example: conduit permit tcp any any Use eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP: conduit deny tcp host 192.168.1.1 eq ftp 209.165.201.1 Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024): conduit permit tcp host 192.168.1.1 lt 1025 any Use gt and a port to permit or deny access to all ports greater than the port you specify. conduit deny udp host 192.168.1.1 gt 42 host 209.165.201.2 Use neq and a port to permit or deny access to every port except the ports that you specify. conduit deny tcp host 192.168.1.1 neq 10 host 209.165.201.2 neq 42 Use range and a port range to permit or deny access to only those ports named in the range. conduit deny tcp any range ftp telnet any By default, all ports are denied until explicitly permitted. |
port
| Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value; for example: conduit deny tcp any any This command is the default condition for the conduit command in that all ports are denied until explicitly permitted. You can view valid port numbers online at the following site: http://www.isi.edu/in-notes/iana/assignments/port-numbers See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers. |
icmp_type | The type of ICMP message. Table 5-5 lists the ICMP type literals that you can use in this command. Omit this option to mean all ICMP types. An example of this command that permits all ICMP types is conduit permit icmp anyany. This command lets ICMP pass inbound and outbound. |
Usage Guidelines
A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another.
The clear conduit command removes all conduit command statements from your configuration.
The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.
|
Note The conduit command has been superseded by the access-list command. We recommend that you migrate your configuration away from the conduit command to maintain future compatibility. |
When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.
Converting conduit Commands to access-list Commands
Follow these steps to convert conduit command statements to access-list commands:
static (high_interface,low_interface) global_ip local_ip netmask mask
For example:
static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255
This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.
Step 2 View the conduit command format. The conduit command is similar to the access-list command in that it restricts access to the mapping provided by the static command. The conduit command syntax is as follows:
conduit action protocol global_ip global_mask global_operator global_port [global_port] foreign_ip foreign_mask foreign_opera