Friday, July 10, 2009


/////////Different of IOS ACLs and PIX ACLs////////////

IOS router ACLs will use Wildcard mask. Pix ACLs use subnet mask.

Quite often, a wildcard mask can basically be thought of as a subnet mask, with ones and zeros inverted; for example, a wildcard mask of corresponds to a subnet mask of A wildcard mask is usually used in combination with an IP address. For example, in a standard ACL, a statement like the following:

access-list 10 permit

allows data from subnet to pass, that is, the first three bytes must match exactly, whereas all the bits in the fourth octet can take on any value.

////////// Special Feature of Cisco PIX //////////////

PIX only lets you use inbound (to an interface) rules. The PIX default allows traffic from a higher security interface (inside=100) to a lower security interface (outside=0). The return traffic would be allowed, because the PIX would notice the outbound traffic and temporarily open the port for the traffic back in.

////////// Access Control List /////////////////

access-list 101 permit tcp any range 1024 65535 host eq www

access-list 101 permit tcp any host eq www

If both ACE as the above order, Rule 1 will be overide by Rule 2. Thus all port range will allow to access host port 80.

No comments:

Post a Comment