Inbound traffic that initiates from the outside is automatically denied access by default on the PIX. Rules have to be put in place to permit traffic to initiate from the outside to servers and subnet on the Cisco PIX Firewall. The rules are usually made up of a static nat command and access list. The static nat command identifies the subnet or host where traffic will be permitted to go to from the outside. Access lists are then configured to identify and permit the type of traffic to the subnet or host identified by the static command. The following is an example of rule that permits http traffic to be intitated from the outside to a webserver 10.1.2.39 on the inside interface of the PIX:
static(inside, outside) 192.168.1.12 10.1.2.39 netmask 255.255.255.255 access-list 120 permit tcp any host 192.168.1.12 eq www access-group 120 in interface outside
TurboACL is a feature introduced with Cisco PIX Firewall OS version 6.2 that improves the average search time for access control lists(ACLs) containing a large number of entries. TurboACL feature is only applied to access lists with a minimum of 19 access list entries (ACE) to a maximum of 16000 ACE.
The object grouping feature enables you to group objects such as hosts (servers and clients), services, and networks, and apply security policies and rules to the group. The four types of object groups are:
The PIX supports several popular multimedia applications. Its application inspection function dynamically opens and closes UDP ports for secure multimedia connections. Popular multimedia applications such as RealPlayer, Microsoft NetMeeting, and others are supported by the Cisco PIX Firewall.
Was this article helpful?