RE: Some questions for PIX experts [7:12122]
nrf NRF, I think that this may help - you have to remember that packets outgoing_src source addresses are what are recieved on the INSIDE interface ie your local network, outgoing_dst are the destinatio of the packets recieved. t the fact of the matter that this does not work for me. I have discovered that my PIX does not in fact do a longest match at all. For example, I put in the commands: outbound 1 deny 0 0 0 outbound 1 permit 50.5.5.5 255.255.255.255 0 notice the keyword change, if you want to PERMIT a host, you should have it above the deny all (like an access list): outbound 1 permit 50.5.5.5 255.255.255.255 0 outbound 1 deny 0 0 0 but if you want to EXCEPT a host have it below the blanket deny all. outbound 1 deny 0 0 0 outbound 1 except 50.5.5.5 255.255.255.255 0 I also believe that from your example that 50.5.5.5 is the desitination ie - it's outside the pix, therefor to do what you want there you indeed have to use outgoing_dest because the source address of packets the pix recieve inbound on the inside interface will never have a source address other than 192.168.1.X For example, in my above example, I always used outgoing_src. I would do something like this: outbound 1 deny 0 0 0 outbound 1 except 50.5.5.5 255.255.255.255 0 apply (inside) 1 outgoing_src the above should be outgoing_dst as 50.5.5.5 is the destination of the packet. to filter on outgoing_src you would need to filter your internal ip address range as they are the ip's that will the source address on packets recieved on the inside interface: C -Original Message- From: nrf To: [EMAIL PROTECTED] Sent: 12/07/01 14:33 Subject: Some questions for PIX experts [7:12122] Hello all. I'm looking for some PIX experts to help me with the following strangeness I found while fiddling around with the Pix. For purposes of this discussion, I am using PixOS 5.3, and I got a Pix 530 with 2 interfaces. The inside interface has a network of 192.168.1.0/24, and the outside interface is 50.0.0.0/8. The inside network has a few PC's, the outside network has a server at 50.5.5.5 running WWW, FTP, and telnet. And I always use "clear xlate" after I change anything on the PIX. 1) Question on "Outbound" - is the documentation wrong? I have carefully read the documentation on the Outbound keyword. The link is here for convenience: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config /com mands.htm#xtocid223341 The documentation states the following: " The outgoing_src and outgoing_dest outbound lists are filtered independently. If any one of the filters contain deny, the outbound packet is denied. When multiple rules are used to filter the same packet, the best matched rule takes effect. The best match is based on the IP address mask and the port range check. More strict IP address masks and smaller port ranges are considered a better match" Now, I am not a genius, but it seems to me that this paragraph states that the PIX will prefer an outbound statement that is a longer match (mask or port number) over a lesser match. Is that correct? But the fact of the matter that this does not work for me. I have discovered that my PIX does not in fact do a longest match at all. For example, I put in the commands: outbound 1 deny 0 0 0 outbound 1 permit 50.5.5.5 255.255.255.255 0 Then I apply it, and I find out that nobody on the inside can access the 50.5.5.5 server, even though it seems like the second outbound statement should override the first statement (because it is a longer match). Now, those who of you who might want to know whether the Pix is working properly or not, or whether I applied the outbound list correctly or not, consider this. I then changed the outbound statements to read this: outbound 1 deny 0 0 0 outbound 1 except 50.5.5.5 255.255.255.255 0 And I see that indeed, everybody on the internal network is indeed denied to everything except the 50.5.5.5 server. So I know the Pix is working, and I am correctly applying the outbound list. My only conclusion that I can make is that either the documentation on the outbound keyword is either seriously wrong (and therefore it is false that the Pix does a longest match) or my Pix is seriously warped. 2) Question on direction of Apply keyword - another error in the documentation?: Once again, referring to the documentation, this time on the Apply keyword. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config /com mands.htm#xtocid223341 I am interested in whether to use 'outgoing_src' or 'outgoing_dest' with the 'Apply' keyword. For example, in my above example, I always used outgoing_src. I would do something like this: outbound 1 deny 0 0 0 outbound 1 except 50.5.5.5 255.255.255.255 0 apply (inside) 1 outgoing_src This would serve to block all access from the inside network to the outside, except for the 50.5.5.5 server, which is exactly the behavior I wanted. If I replace the apply statement with apply (
Re: Some questions for PIX experts [7:12122]
Think of it as more of a "more specific match" instead. A rule for 50.0.0.0/8 is less specific than a rule for 50.5.5.5/32. I would put the deny at the bottom of the list though - Original Message - From: "nrf" To: Sent: Thursday, July 12, 2001 8:33 AM Subject: Some questions for PIX experts [7:12122] > Hello all. I'm looking for some PIX experts to help me with the following > strangeness I found while fiddling around with the Pix. > > For purposes of this discussion, I am using PixOS 5.3, and I got a Pix 530 > with 2 interfaces. The inside interface has a network of 192.168.1.0/24, > and the outside interface is 50.0.0.0/8. The inside network has a few PC's, > the outside network has a server at 50.5.5.5 running WWW, FTP, and telnet. > And I always use "clear xlate" after I change anything on the PIX. > > 1) Question on "Outbound" - is the documentation wrong? > > I have carefully read the documentation on the Outbound keyword. The link > is here for convenience: > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com > mands.htm#xtocid223341 > > The documentation states the following: " The outgoing_src and > outgoing_dest outbound lists are filtered independently. If any one of the > filters contain deny, the outbound packet is denied. When multiple rules are > used to filter the same packet, the best matched rule takes effect. The > best match is based on the IP address mask and the port range check. More > strict IP address masks and smaller port ranges are considered a better > match" > > Now, I am not a genius, but it seems to me that this paragraph states that > the PIX will prefer an outbound statement that is a longer match (mask or > port number) over a lesser match. Is that correct? > > But the fact of the matter that this does not work for me. I have > discovered that my PIX does not in fact do a longest match at all. For > example, I put in the commands: > > outbound 1 deny 0 0 0 > outbound 1 permit 50.5.5.5 255.255.255.255 0 > > Then I apply it, and I find out that nobody on the inside can access the > 50.5.5.5 server, even though it seems like the second outbound statement > should override the first statement (because it is a longer match). > > Now, those who of you who might want to know whether the Pix is working > properly or not, or whether I applied the outbound list correctly or not, > consider this. I then changed the outbound statements to read this: > > outbound 1 deny 0 0 0 > outbound 1 except 50.5.5.5 255.255.255.255 0 > > And I see that indeed, everybody on the internal network is indeed denied to > everything except the 50.5.5.5 server. So I know the Pix is working, and I > am correctly applying the outbound list. > > My only conclusion that I can make is that either the documentation on the > outbound keyword is either seriously wrong (and therefore it is false that > the Pix does a longest match) or my Pix is seriously warped. > > > 2) Question on direction of Apply keyword - another error in the > documentation?: > > Once again, referring to the documentation, this time on the Apply keyword. > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com > mands.htm#xtocid223341 > > I am interested in whether to use 'outgoing_src' or 'outgoing_dest' with the > 'Apply' keyword. > > For example, in my above example, I always used outgoing_src. I would do > something like this: > outbound 1 deny 0 0 0 > outbound 1 except 50.5.5.5 255.255.255.255 0 > apply (inside) 1 outgoing_src > > This would serve to block all access from the inside network to the outside, > except for the 50.5.5.5 server, which is exactly the behavior I wanted. > If I replace the apply statement with > apply (inside) 1 outgoing_dest > then everybody on the internal network can go everywhere, which is not the > desired behavior I want. So I believe I understand how this works. If > your Outbound list includes addresses of your internal PC's, then use > outbound_dest. If it instead contains outside addresses, use outbound_src. > I have tested this theory many times on my PIX, and it always follows this > pattern. > > Then I look at the documentation examples, and they seem to have it > backwards. > > For example, they have the following example: > "The following example prevents inside host 192.168.1.49 from accessing the > World Wide Web (port 80): > > outbound 11 deny 192.168.1.49 255.255.255.255 80 tcp > > apply (inside) 11 outgoing_src" > > > I went and tried this and I discovered that it doesn't work at all. I fire > up a spare PC that I have, give it the address of 192.168.1.49, and attach > it to my inside network. I put in the above commands in the Pix, and I > discover that the PC can go anywhere it wants, willy nilly. The above > outbound list never gets invoked at all. > > But I found out that when I change the Apply statement to follow my pattern, > instead of what the documentation says to do: > > apply (inside)
