Cisco PIX-501 questions

[Guest]

Archived from groups: comp.security.firewalls (More info?)

One of these was installed as a firewall for a web server, and it's fallen on
me to administer it now.

I've downloaded the command reference, but there's nearly nothing intuitive
about how this thing works. Right now there are two questions I'd most like
answered, which may go a ways towards answering others that come up in the
future.

1) The external address is configured as xx.xx.98.250 with a netmask of
255.255.255.240. The actual IP addresses we have are from xx.xx.110.98 to
xx.xx.110.105 (maybe more). How exactly is this actually working with that
address configuration?

3) How do I delete a single access-list line? I did "no access-list
outside_acces_in" to get rid of multiple lines that were made with a typo
(via command recall, of course - didn't make the same typo multiple times).
But if I try "no access-list outside_access_in line 5" (which does exist,
according to "show access-list"), I get a summary of options for the
access-list command. My syntax is completely correct according to the
command reference. So what is it that I'm missing?


--
- Mike

Remove 'spambegone.net' and reverse to send e-mail.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 06 May 2004 09:34:54 GMT, "Mike Ruskai"
<spamten.knilhtrae@begonedynnaht.net> wrote:

>One of these was installed as a firewall for a web server, and it's fallen on
>me to administer it now.
>
>I've downloaded the command reference, but there's nearly nothing intuitive
>about how this thing works. Right now there are two questions I'd most like
>answered, which may go a ways towards answering others that come up in the
>future.
>
>1) The external address is configured as xx.xx.98.250 with a netmask of
>255.255.255.240. The actual IP addresses we have are from xx.xx.110.98 to
>xx.xx.110.105 (maybe more). How exactly is this actually working with that
>address configuration?

Are the xx.xx.110.98-110.105 internal? or is that your public range?
In which case the ext ip will need to change. "ip address outside
xx.xx.xx.xx 255.255.255.xxx
>
>3) How do I delete a single access-list line? I did "no access-list
>outside_acces_in" to get rid of multiple lines that were made with a typo
>(via command recall, of course - didn't make the same typo multiple times).
>But if I try "no access-list outside_access_in line 5" (which does exist,
>according to "show access-list"), I get a summary of options for the
>access-list command. My syntax is completely correct according to the
>command reference. So what is it that I'm missing?

the "line" is only in pix version 6.3.3 i think? verifiy which
version of the software you are running with a "show ver". I would
flash it to 6.3.3 if it is not running that, as it has a lot of extras
and fixes.

to remove the access-list you would pretty much complete the
access-list command shown with a no in front of it. omit the line ""
from it when removing if it shows that.
ex. access-list outside_access_in permit ip any any

to remove it would be "no access-list outside_access_in permit ip any
any

hope this helps.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 06 May 2004 11:30:32 -0400, Michael Sherman wrote:

>On Thu, 06 May 2004 09:34:54 GMT, "Mike Ruskai"
><spamten.knilhtrae@begonedynnaht.net> wrote:
>
>>One of these was installed as a firewall for a web server, and it's fallen on
>>me to administer it now.
>>
>>I've downloaded the command reference, but there's nearly nothing intuitive
>>about how this thing works. Right now there are two questions I'd most like
>>answered, which may go a ways towards answering others that come up in the
>>future.
>>
>>1) The external address is configured as xx.xx.98.250 with a netmask of
>>255.255.255.240. The actual IP addresses we have are from xx.xx.110.98 to
>>xx.xx.110.105 (maybe more). How exactly is this actually working with that
>>address configuration?
>
>Are the xx.xx.110.98-110.105 internal? or is that your public range?
>In which case the ext ip will need to change. "ip address outside
>xx.xx.xx.xx 255.255.255.xxx

Those are the public IPs. The funny thing is, it's working. Traffic to
those IPs ends up at the firewall. Perhaps it's something to do with the
VLAN setup at the hosting company.

>>3) How do I delete a single access-list line? I did "no access-list
>>outside_acces_in" to get rid of multiple lines that were made with a typo
>>(via command recall, of course - didn't make the same typo multiple times).
>>But if I try "no access-list outside_access_in line 5" (which does exist,
>>according to "show access-list"), I get a summary of options for the
>>access-list command. My syntax is completely correct according to the
>>command reference. So what is it that I'm missing?
>
>the "line" is only in pix version 6.3.3 i think? verifiy which
>version of the software you are running with a "show ver". I would
>flash it to 6.3.3 if it is not running that, as it has a lot of extras
>and fixes.

Show version reports 6.3(3), which I assume is 6.3.3 in normal version
syntax.

>to remove the access-list you would pretty much complete the
>access-list command shown with a no in front of it. omit the line ""
>from it when removing if it shows that.
>ex. access-list outside_access_in permit ip any any
>
>to remove it would be "no access-list outside_access_in permit ip any
>any
>
>hope this helps.

I actually thought of that after posting, and it does work to remove the
unwanted lines.


--
- Mike

Remove 'spambegone.net' and reverse to send e-mail.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

IS it possible that your Internet router is also translating the 'real'
addresses to the ones configured on the PIX ? A fairly unnecessary step, but
not that unusual.

Reg

"Mike Ruskai" <spamten.knilhtrae@begonedynnaht.net> wrote in message
news:gunaalqrneguyvaxarg.hxbfdd0.pminews@news.east.earthlink.net...
> On Thu, 06 May 2004 11:30:32 -0400, Michael Sherman wrote:
>
> >On Thu, 06 May 2004 09:34:54 GMT, "Mike Ruskai"
> ><spamten.knilhtrae@begonedynnaht.net> wrote:
> >
> >>One of these was installed as a firewall for a web server, and it's
fallen on
> >>me to administer it now.
> >>
> >>I've downloaded the command reference, but there's nearly nothing
intuitive
> >>about how this thing works. Right now there are two questions I'd most
like
> >>answered, which may go a ways towards answering others that come up in
the
> >>future.
> >>
> >>1) The external address is configured as xx.xx.98.250 with a netmask of
> >>255.255.255.240. The actual IP addresses we have are from xx.xx.110.98
to
> >>xx.xx.110.105 (maybe more). How exactly is this actually working with
that
> >>address configuration?
> >
> >Are the xx.xx.110.98-110.105 internal? or is that your public range?
> >In which case the ext ip will need to change. "ip address outside
> >xx.xx.xx.xx 255.255.255.xxx
>
> Those are the public IPs. The funny thing is, it's working. Traffic to
> those IPs ends up at the firewall. Perhaps it's something to do with the
> VLAN setup at the hosting company.
>
> >>3) How do I delete a single access-list line? I did "no access-list
> >>outside_acces_in" to get rid of multiple lines that were made with a
typo
> >>(via command recall, of course - didn't make the same typo multiple
times).
> >>But if I try "no access-list outside_access_in line 5" (which does
exist,
> >>according to "show access-list"), I get a summary of options for the
> >>access-list command. My syntax is completely correct according to the
> >>command reference. So what is it that I'm missing?
> >
> >the "line" is only in pix version 6.3.3 i think? verifiy which
> >version of the software you are running with a "show ver". I would
> >flash it to 6.3.3 if it is not running that, as it has a lot of extras
> >and fixes.
>
> Show version reports 6.3(3), which I assume is 6.3.3 in normal version
> syntax.
>
> >to remove the access-list you would pretty much complete the
> >access-list command shown with a no in front of it. omit the line ""
> >from it when removing if it shows that.
> >ex. access-list outside_access_in permit ip any any
> >
> >to remove it would be "no access-list outside_access_in permit ip any
> >any
> >
> >hope this helps.
>
> I actually thought of that after posting, and it does work to remove the
> unwanted lines.
>
>
> --
> - Mike
>
> Remove 'spambegone.net' and reverse to send e-mail.
>
>