AAA PIX

By Cisco Press | Oct 10, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/901141/AAA-PIX.htm

Cisco Secure Internet Security Solutions - Chapter 4
by Andrew Mason, Mark Newcomb

Cisco Secure PIX Firewall - Part 6
Cisco Secure Internet Security Solutions - click to go to publisher's site

AAA Commands
You have enabled AAA using Terminal Access Controller Access Control System Plus (TACACS+) on your PIX for authenticating, authorizing, and accounting for users passing from the inside through the outside interface. You have also enabled TACACS+ authentication for those connecting to the PIX through the console.

The first command you need to look at is the aaa-server command. The example sets the server to TACACS+ on the inside interface with the IP address of 10.1.1.41. You are using thekey as your TACACS+ key and have set a timeout of 20 seconds. This command is also responsible for starting AAA on the PIX. The full syntax of the aaa-server command follows:

aaa-server group_tag ( interface_name) host server_ip key timeout seconds

The parameters and keywords, along with their descriptions, are displayed in Table 4-3:

CommandDescription
group_tagTACACS+ or RADIUS.
interface_name Name of the interface where the server resides.
host Keyword designating that a single host IP address follows.
server_ip The IP address of the server.
key The alphanumeric key expected at the server.
timeout Keyword designating that the parameter following is the number of seconds.
seconds The wait time in seconds that the PIX will wait after sending a request without receiving a response before another request is sent. The default time is 5 seconds. Four requests will be sent before timing out.

After starting AAA, you authenticated, authorized, and accounted for any outbound traffic. For a full description of these three processes, see Chapter 10. For the moment, it will suffice to say that when users attempt to send data outside, first they will be checked to ensure that they are who they claim to be, then a check will determine whether they are allowed to send the data outside, and then a record will be made that the users sent the data. You accomplish these three tasks in this example with the following three lines:

 aaa authentication include any outbound 0 0 0 0 TACACS+
 aaa authorization include any outbound 0 0 0 0 TACACS+
 aaa accounting include any outbound 0 0 0 0 TACACS+
The key here is the word outbound, which means packets traversing from the inside interface through the outside interface. The any in these lines refers to the type of accounting service; possible values are any, ftp, http, telnet, or protocol/port. The four zeros refer, in order, to the local address, the local mask, the foreign IP address, and the foreign mask. The final parameter determines which service should be used, RADIUS or TACACS+. It is possible to run both TACACS+ and RADIUS at the same time. To accomplish this, merely add another aaa-server command with the other service.

The aaa authentication command has another form that allows you to authenticate connections for the serial port, the Telnet ports, and the enable mode. The full syntax of this command follows:

aaa authentication [serial | enable | telnet] console group_tag

outbound and apply Commands
Now that you have seen how AAA can limit outbound access through an interface, there is another way to control and limit access from a higher security level interface to a lower security level interface. This method uses PIX access lists configured with the outbound and apply commands. The first thing to remember about this type of PIX access list is that it operates in a totally different manner than a router's access list. If you are intimately familiar with router access lists, you might have a harder time accepting how PIX access lists work than those who are not so familiar with router access lists. The order of a router's access list is vitally important, because the first match will cause a rejection or acceptance. However, the PIX uses a best-fit mechanism for its access lists. This allows the administrator to deny whole ranges of IP addresses and then allow specific hosts through at a later date without having to rewrite the whole access list. The PIX access list is also neither a standard nor an extended access list, but rather a combination of the two forms.

Where a router uses two commands, access-list and access-group (or access-class), to define and apply an access list, the PIX uses the outbound and apply commands to define and apply an access list.

The full syntax of the outbound command follows:

 outbound list_id permit | deny ip_address 
   [ netmask [java | port[- port]]] [ protocol]

A description of the command parameters can be found in Table 4-4: outbound Command Parameters:

CommandDescription
list_id This is an arbitrary name or number used to identify the access list. This is similar to a named access list on a router.
permit Allows the access list to access the specified IP address and port.
deny Denies access to the specified IP address and port.
except

Creates an exception to the previous outbound command.

The IP address associated with an except statement changes depending on whether an outgoing_src or outgoing_dest parameter is used in the apply command.

If the apply command uses outgoing_src, the IP address applies to the destination IP address.

If the apply command uses an outgoing_dest, the IP address refers to the source IP address.

ip_address The IP address associated with the outbound permit, outbound deny, or outbound except command.
netmask The subnet mask associated with the IP address. Remember that this is a subnet mask, not a wildcard mask as used on routers. Where a router would have a wildcard mask of 0.0.0.255, the PIX would have a subnet mask of 255.255.255.0.
port The port or range of ports associated with this command.
java The keyword java is used to indicate port 80. When java is used with a deny, the PIX blocks Java applets from being downloaded from the IP address. By default, the PIX permits Java applets.
protocol This limits access to one of the following protocols: UDP, TCP, or ICMP. TCP is assumed if no protocol is entered.

Now that you know how the command works, look at the effects of the commands. The first two lines of the configuration regarding access lists read:

 outbound limit_acctg deny 10.200.200.0 255.255.255.0
 outbound limit_acctg except 10.10.1.51

The first outbound command denies all packets from the Class C network at 10.1.1.0. When using the deny and permit forms of the outbound command, you are referring to the destination IP address. You could use the word permit in the example instead of deny, which would allow packets from these IP addresses. The effects of the second line cannot be fully determined until you look at the apply command. However, you can still see that an exception to the previous deny command exists. This exception allows packets associated with the IP address of 10.10.1.51 through the PIX. Here the word associated is used instead of destination or source because whether you are concerned about the source or the destination IP address is actually determined by the apply command. If the apply command specifies a source IP address, the packets from the source used with the outbound command are permitted or denied. If the apply command specifies a destination address, then packets whose destination address matches the IP address used with the outbound command are denied or permitted.

This is a two-step process that requires the administrator to ask two questions. First, look at the outbound command. Is this a permit or deny statement? Next, look at the apply command. Is the apply command concerned with the source or the destination address?

The next two lines are easy to understand. You permit access to the hosts at 10.200.200.66 and 10.200.200.67. At this point, you still do not have a definition as to whether the IP address associated with the except is a source or destination address. However, the apply command will resolve this outstanding issue. For review purposes, the two lines follow:

 outbound limit_acctg permit 10.200.200.66
 outbound limit_acctg permit 10.200.200.67

The apply statement is used to connect an access list with an interface and to define whether IP addresses specified with that access list are source or destination IP addresses. This example of the apply command follows:

 apply (accounting) limit_acctg outgoing_dest
In this example, you applied an access list to the interface previously defined as accounting by the nameif command. The access list you connected is the one called limit_acctg. As with a router's access lists, only one access list can be applied in a given direction on any PIX interface.

This apply command has applied the except command to source packets. The alternative would be to apply the except command to destination packets by using the outgoing_src parameter. The application of this command has a distinct effect on the access list. This effect is that the IP address specified by the except command is a source address.

For review purposes, look at Figure 4-9. Refer to Figure 4-9 while reviewing the following discussion about the command lines used.

Figure 4-9 PIX outbound command Example

(Click image for larger view in a new window)

The following line prevents access to all of the 10.200.200.0/24 network from all hosts for all protocols. The PIX uses subnet masks, not wildcard masks.

 outbound limit_acctg deny 10.200.200.0 255.255.255.0
The following line is an exception to the preceding line. Because the apply statement uses outgoing_src, the preceding denial of access to the 10.200.200.0 network does not apply to the host with the IP address of 10.10.1.51. Because the security level is higher on the network where this computer sits, this computer has access to the whole of the 10.200.200.0 network.
 outbound limit_acctg except 10.10.1.51
The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.66.
 outbound limit_acctg permit 10.200.200.66
The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.67.
 outbound limit_acctg permit 10.200.200.67
The following line applies the access list called limit_acctg to the accounting interface and makes a definition for the except command, specifying that the IP addresses within the except command refer to a source address.
 apply (accounting) limit_acctg outgoing_dest
It is important to remember that the order of the outbound statements is not a concern because the PIX uses a best-fit algorithm.

For review purposes, look at Figure 4-9. Refer to Figure 4-9 while reviewing the following discussion about the command lines used.

Figure 4-9 PIX outbound command Example

(Click image for larger view in a new window)

The following line prevents access to all of the 10.200.200.0/24 network from all hosts for all protocols. The PIX uses subnet masks, not wildcard masks.

 outbound limit_acctg deny 10.200.200.0 255.255.255.0
The following line is an exception to the preceding line. Because the apply statement uses outgoing_src, the preceding denial of access to the 10.200.200.0 network does not apply to the host with the IP address of 10.10.1.51. Because the security level is higher on the network where this computer sits, this computer has access to the whole of the 10.200.200.0 network.
 outbound limit_acctg except 10.10.1.51
The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.66.
 outbound limit_acctg permit 10.200.200.66
The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.67.
 outbound limit_acctg permit 10.200.200.67
The following line applies the access list called limit_acctg to the accounting interface and makes a definition for the except command, specifying that the IP addresses within the except command refer to a source address.
 apply (accounting) limit_acctg outgoing_dest
It is important to remember that the order of the outbound statements is not a concern because the PIX uses a best-fit algorithm.

There are a few things to consider when working with PIX access lists. First, it is recommended that you do not use the access list command with the conduit and outbound commands. Technically, these commands will work together, however, the way these commands interact causes debugging issues. The conduit and outbound commands operate with two interfaces, while the access-list command applies only to a single interface. If you choose to ignore this warning, remember that the access list is checked first. The conduit and outbound commands are checked after the access-list command. Second, the masks used in the PIX access lists and the outbound command are subnet masks, not wildcard masks.

Additional Dual-DMZ Configuration Considerations
Notice that there is a nat 0 command associated with the accounting DMZ. A nat 0 command prevents any NAT or PAT from occurring. How could this be used to your advantage? Assuming that you do not use NAT and you assign nonroutable IP addresses to a DMZ, you can prevent anyone on the Internet from reaching this DMZ while still allowing the local LANs to reach the network. You can also provide additional protection when you are using routable IP addresses through the PIX. Whether or not you choose to use NAT on an interface does not really affect how that interface operates.

Cisco Secure Internet Security Solutions -- Click to go to publisher's site --
This concludes the configuration of the PIX Firewall, with the exception of VPNs. The remainder of this chapter covers VPNs, starting with Point-to-Point Tunneling Protocol (PPTP) and then moving on to IPSec VPNs.