AAA PIX - Page 2
outbound and apply Commands
Now that you have seen how AAA can limit outbound access through an interface, there is another way to control and limit access from a higher security level interface to a lower security level interface. This method uses PIX access lists configured with the outbound and apply commands. The first thing to remember about this type of PIX access list is that it operates in a totally different manner than a router's access list. If you are intimately familiar with router access lists, you might have a harder time accepting how PIX access lists work than those who are not so familiar with router access lists. The order of a router's access list is vitally important, because the first match will cause a rejection or acceptance. However, the PIX uses a best-fit mechanism for its access lists. This allows the administrator to deny whole ranges of IP addresses and then allow specific hosts through at a later date without having to rewrite the whole access list. The PIX access list is also neither a standard nor an extended access list, but rather a combination of the two forms.
Where a router uses two commands, access-list and access-group (or access-class), to define and apply an access list, the PIX uses the outbound and apply commands to define and apply an access list.
The full syntax of the outbound command follows:
outbound list_id permit | deny ip_address [ netmask [java | port[- port]]] [ protocol]
A description of the command parameters can be found in Table 4-4: outbound Command Parameters:
|list_id||This is an arbitrary name or number used to identify the access list. This is similar to a named access list on a router.|
|permit||Allows the access list to access the specified IP address and port.|
|deny||Denies access to the specified IP address and port.|
Creates an exception to the previous outbound command.
The IP address associated with an except statement changes depending on whether an outgoing_src or outgoing_dest parameter is used in the apply command.
If the apply command uses outgoing_src, the IP address applies to the destination IP address.
If the apply command uses an outgoing_dest, the IP address refers to the source IP address.
|ip_address||The IP address associated with the outbound permit, outbound deny, or outbound except command.|
|netmask||The subnet mask associated with the IP address. Remember that this is a subnet mask, not a wildcard mask as used on routers. Where a router would have a wildcard mask of 0.0.0.255, the PIX would have a subnet mask of 255.255.255.0.|
|port||The port or range of ports associated with this command.|
|java||The keyword java is used to indicate port 80. When java is used with a deny, the PIX blocks Java applets from being downloaded from the IP address. By default, the PIX permits Java applets.|
|protocol||This limits access to one of the following protocols: UDP, TCP, or ICMP. TCP is assumed if no protocol is entered.|