Friday, July 10, 2009

PIX, IOS, ACLs

/////////Different of IOS ACLs and PIX ACLs////////////

IOS router ACLs will use Wildcard mask. Pix ACLs use subnet mask.

Quite often, a wildcard mask can basically be thought of as a subnet mask, with ones and zeros inverted; for example, a wildcard mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. A wildcard mask is usually used in combination with an IP address. For example, in a standard ACL, a statement like the following:

access-list 10 permit 10.0.3.0 0.0.0.255

allows data from subnet 10.0.3.0/24 to pass, that is, the first three bytes must match exactly, whereas all the bits in the fourth octet can take on any value.


////////// Special Feature of Cisco PIX //////////////

PIX only lets you use inbound (to an interface) rules. The PIX default allows traffic from a higher security interface (inside=100) to a lower security interface (outside=0). The return traffic would be allowed, because the PIX would notice the outbound traffic and temporarily open the port for the traffic back in.

////////// Access Control List /////////////////

access-list 101 permit tcp any range 1024 65535 host 192.168.5.1 eq www

access-list 101 permit tcp any host 192.168.5.1 eq www

If both ACE as the above order, Rule 1 will be overide by Rule 2. Thus all port range will allow to access host 192.168.5.1 port 80.

No comments:

Post a Comment