Create a Static Translation for Web Server

Internet

172.16.°.2 Public web server

Outside

Inside fw1(config)# static (dmz,outside) 192.168.0.9 172.16.0.2 0 0

Map an inside private address to an outside public address

© 2005 Cisco Systems, Inc. All rights re

The first step is to map the IP address of the web server to a fixed outside address. This hides the true address of the web server. Internet hosts access the DMZ web server via the mapped outside IP address. The security appliance performs the necessary translations to send the packet from the outside interface to the DMZ interface. To accomplish this, a static command is used. The figure shows IP address 192.168.0.9 on the outside interface mapped to 172.16.0.2 on the DMZ.

access-list Command

firewall(config)#

access-list id [line line-number] [extended] {deny | permit}

{tcp | udp} {host sip I sip mask I any}[ operator port] {host dip I dip mask | any}[operator port]

• Permit outside HTTP access to public web server fw1(config)# access-list aclout permit tcp any host 192.168.0.9 eq www

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-9

The access-list command enables you to specify if an IP address is permitted or denied access to a port or protocol. By default, all access to addresses in an ACL is denied. You must explicitly permit it.

When specifying the IP address of a host as a source or destination, use the host keyword instead of the network mask 255.255.255.255. For example, use the following ACL entry to permit Hypertext Transfer Protocol (HTTP) traffic from any host to host 192.168.0.9:

access-list aclout permit tcp any host 192.168.0.9 eq www

The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search.

The clear access-list command removes all references in the security appliance configuration to a deleted ACL. If the aclid argument is specified, it clears only the corresponding ACL. If the counters option is specified as well, it clears the hit count for the specified ACL. To clear an ACL from the running configuration, use the clear configure access-list command.

The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements that are in an ACL group, the no access-list command also removes the corresponding access-group command from the configuration.

Note The access-list command uses the same syntax as the Cisco IOS software access-list command except that the subnet mask in the security appliance access-list command is reversed from the Cisco IOS software version of this command. For example, a wildcard mask specified as 0.0.0.255 in the Cisco IOS access-list command would be specified as a subnet mask of 255.255.255.0 in the security appliance access-list command.

access-list id [line line-number] [extended] {deny | permit}{protocol | object-group protocol obj grp id}{host sip | sip mask | interface ifc name | object-group network obj grp id | any}{host dip | dip mask | interface ifc name | object-group network obj grp id | any}[log [[level] [interval secs] | disable | default]][inactive | time-range time range name]

deny

This option does not allow a packet to traverse the security appliance if the conditions are matched. By default, the security appliance denies all inbound and outbound packets unless you specifically permit access.

dip

Specifies the IP address of the network or host to which the packet is being sent. Specify a dip when an access-list command is used in conjunction with an access-group command or in conjunction with an aaa match access-list command and aaa authorization command. For inbound and outbound connections, dip is the address before NAT has been performed.

dip_mask

Netmask bits (mask) to be applied to dip.

icmp_type

(Optional) Specifies the ICMP type.

icmp_type_obj_grp_id

(Optional) Specifies the identifier of an existing ICMP-type object group.

id

Specifies the name or number of an ACL.

inactive

Disables an access control element.

interface ifc_name

Specifies the interface address as the source or destination address.

interval secs

Specifies the log interval at which to generate a syslog message; valid values are from 1 to 600 seconds. Default is 300.

line line-num

(Optional) The line number at which to insert an access control element.

log disable | default |

level

(Optional) Specifies that the log option is disabled, set to default values, or set to a syslog level from 0 to 7. The default level is 6. When enabled, a syslog message is generated for the access control element. See the log command for information.

network_obj_grp_id

Specifies the identifier of an existing network object group.

object-group

Specifies an object group.

operator

Compares sip or dip ports. Possible operands include "lt" (less than), "gt" (greater than), "eq" (equal), "neq" (not equal), and "range" (inclusive range).

permit

The permit option selects a packet to traverse the security appliance if conditions are matched. By default, the security appliance denies all inbound and outbound packets unless you specifically permit access.

port

Specifies the decimal number or name of a TCP or User Datagram Protocol (UDP) port.

protocol

Specifies the IP protocol name or number that will be open. For example, UDP is 17, TCP is 6, and exterior gateway protocol (EGP) is 47.

protocol_obj_grp_id

Specifies the identifier of an existing protocol object group.

serviceobjgrpid

Specifies the identifier of an existing service object group.

sip

Specifies the IP address of the network or host from which the packet is being sent.

sip_mask

Netmask bits (mask) to be applied to the source IP address.

time-range timerangename

(Optional) Specifies the time range used to define specific times of the day and week to allow access to the security appliance. See the section on configuring time ranges for information about defining a time range.

Note For inbound connections, the destination address is the global address. For outbound connections, the source address is the address before NAT has been performed.

access-group Command

Apply access DMZ

Apply access DMZ

firewall(config)#

access-group access-list {in | out} interface name [per-user-override]

interface

• Apply ACL to outside interface

fw1(config)# access-group aclout in outside

interface

© 2005 Cisco Systems, Inc. All rights reserved SNPA v4.0—5-10

© 2005 Cisco Systems, Inc. All rights reserved SNPA v4.0—5-10

The access-group command binds an ACL to an interface. The ACL is applied to traffic on an interface in the specified direction, inbound or outbound. Only one ACL can be bound to an interface using the access-group command. In the figure, the ACL is bound to the outside interface (aclout).

The no access-group command unbinds the ACL from the interface.

The show running-config access-group command displays access group information.

The clear configure access-group command removes all entries from an ACL indexed by the ACL identifier (ID). If the ACL ID is not specified, all access-group command statements are removed from the configuration.

The syntax for the access-group commands is as follows:

access-group access-list {in | out} interface interface name [per-user-override]

access-list

ACL id

in

Filters the inbound packets at the specified interface.

out

Filters the outbound packets at the specified interface.

Interface

The name of the network interface.

interface-name

per-user-override

(Optional) Allows downloadable user ACLs to override the ACL applied to the interface.

ICMPDMZ

192.168.1.10

fw1(config)# show access-list access-list ACLOUT; 4 elements access-list ACLOUT line 1 permit tcp 192.168.1.0 2 55.255.255.0 host

192.168.6.11 eq www (hitcnt=4) access-list ACLOUT line 2 permit tcp host 192.168.1.10 host 192.168.6.11

eq ftp (hitcnt=1) access-list ACLOUT line 3 permit tcp any host 192.168.6.10 eq www (hitcnt=4)

access-list ACLOUT line 4 deny ip any any (hitcnt=0) access-list ICMPDMZ; 1 elements access-list ICMPDMZ line 1 permit icmp host bastionhost any echo-reply

(hitcnt=12) access-list ACLIN; 1 elements access-list ACLIN line 1 permit tcp any host 192.168.1.10 eq www (hitcnt=0)

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-11

The show access-list command lists all the configured ACLs, the counters, and the access control entries (ACEs). In the figure, there are three ACLs: ACLOUT, ICMPDMZ, and ACLIN. Within each ACL, there are one or more ACEs. Each ACE is denoted by a line number. The ACEs are numbered from line 1 to line 6. In the figure, ACLOUT has six ACEs.

0 0

Post a comment