RE: applying PIX access-lists [7:61033]
You can use pdm ( Web based gui of Cisco PIX). It looks like checkpoint gui. You can insert lines between other statements, change nat definitions, monitor system resources etc. It is very useful. Ozan Akdemir -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 6:59 PM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61267t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Sam, I used to copy my list out to notepad and add the new line. Do a 'no access-list from-internet', then cut and paste the new one back in. Keep in mind this will briefly leave you with no access list on that interface. Then re-enter the 'access-group from-internet in interface outside' command, as it will remove it when you do the no access-list command. You can also use subnet masks if you have a group of IP's, for example adding 10.10.10.0/29 would grant access to hosts 10.10.10.1 - 7 Someone here also posted a good link to some new features that are available in 6.2 that might be useful, http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech _note09186a00800d641d.shtml Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61037t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61060t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: applying PIX access-lists [7:61033]
The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was hit as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61062t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Nope, wouldn't work well in that situation, but if you're only talking a few entries then its not a problem Also, in that sort of situation if you wanted to put a deny before a permit (where order really does matter other than aesthetically), you remove the line permitting the traffic, add the deny, then put in the permit again and you're back to where you were. The most you'd have to readd after that would be a deny ip any any :) -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 8:38 AM To: [EMAIL PROTECTED] Subject: Re: applying PIX access-lists [7:61033] The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was hit as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61070t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: applying PIX access-lists [7:61033]
Sam, you can do 2 method ie: CLI based and GUI based (PDM). If you using PDM, you just insert add rule it. CLI based: 1. access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet2 permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any 2. no access-group from-internet in interface outside access-group from-internet2 in interface outside 3. Clear Xlate. Hope this can help you. regards, Sugianto Sho Sam Sneed cc: Sent by: Fax to: nobody@groupst Subject: applying PIX access-lists [7:61033] udy.com 01/14/2003 11:58 PM Please respond to Sam Sneed I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61071t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]