• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

pix Rule

SaigonK

SaigonK

Diamond Member
So i am finally going to start messing with my new PIX here, and i am looking for some tips..

What i need to do is the following:

I need to block the following IP's:

218.17.217.106
219.133.40.95
219.133.40.97,
219.133.40.157,
219.133.40.177,
219.133.40.73,
219.133.40.189
218.18.95.153
218.17.209.23
202.104.129.253
218.17.209.42
sz.tencent.com 61.144.238.145
sz2.tencent.com 61.144.238.146
sz3.tencent.com 202.104.129.251
sz4.tencent.com 202.104.129.254
sz5.tencent.com 61.141.194.203
sz6.tencent.com 202.104.129.252
sz7.tencent.com 202.104.129.253

On ports 80/443/8000/8001 (TCP and UDP)

whats the easiest way to create a group for all of these IP's.
I already created my TCP/UDP group for these ports, but now I am looking for the easiest way to add the multiple hosts

 
From my reading, the PIX will expand the groups into actual single ACL entries by itself though. It may be eaiser to work with using groups, however, it doesn't save you anything resource wise is my understanding. I would just write a straight ACL for those entries and avoid groups, but that's me and I'm weird like that. I don't like groups because I forget what I put in them eventually. 😉
 
Actually i figured it out how i need it anyway...


object-group network Tecent

network-object 61.144.238.145 255.255.255.255
network-object 61.144.238.146 255.255.255.255

network-object 202.104.129.251 255.255.255.255
network-object 202.104.129.254 255.255.255.255
network-object 61.141.194.203 255.255.255.255
network-object 202.104.129.252 255.255.255.255
network-object 202.104.129.253 255.255.255.255
network-object 218.17.217.106 255.255.255.255
network-object 219.133.40.95 255.255.255.255
network-object 219.133.40.97 255.255.255.255
network-object 219.133.40.157 255.255.255.255
network-object 219.133.40.177 255.255.255.255
network-object 219.133.40.73 255.255.255.255
network-object 219.133.40.189 255.255.255.255
network-object 218.18.95.153 255.255.255.255
network-object 218.17.209.23 255.255.255.255
network-object 218.17.209.42 255.255.255.255

Does what i need. 🙂
 
Originally posted by: Rogue
From my reading, the PIX will expand the groups into actual single ACL entries by itself though. It may be eaiser to work with using groups, however, it doesn't save you anything resource wise is my understanding. I would just write a straight ACL for those entries and avoid groups, but that's me and I'm weird like that. I don't like groups because I forget what I put in them eventually. 😉
Click to expand...

that's absolutely correct.

and can cause major problems. Say for instance you have a group with 100 hosts that you put in a group. Then you make what looks like 1 single access list using that host group with a protocol group that contains 10 ports.

Its deceptive because it looks like only one line. It is actually 100*10 lines or 1000 lines.

it can get real hairy real quick and I strongly discourage the use of them.

But for something simple like this no problem, unless this firewall has a lot more ACLs on it.
 
spidey07, I disagree with you about object groups. A lot of what people do with ACLs are cut and paste variants of rules that beg for this kind of macro substitution. For example, the rule that says open ports {1,2,3} on hosts {A,B,C}. And you know that somebody's going to come around with a host D to add to that later on. It makes it easy to write and maintain the kind of rules that are common.

show access-list on the PIX will show you the expanded ACL so you can see the whole mess that gets generated, just in case that's easier to read.
 
Originally posted by: spidey07
Originally posted by: Rogue
From my reading, the PIX will expand the groups into actual single ACL entries by itself though. It may be eaiser to work with using groups, however, it doesn't save you anything resource wise is my understanding. I would just write a straight ACL for those entries and avoid groups, but that's me and I'm weird like that. I don't like groups because I forget what I put in them eventually. 😉
Click to expand...

that's absolutely correct.

and can cause major problems. Say for instance you have a group with 100 hosts that you put in a group. Then you make what looks like 1 single access list using that host group with a protocol group that contains 10 ports.

Its deceptive because it looks like only one line. It is actually 100*10 lines or 1000 lines.

it can get real hairy real quick and I strongly discourage the use of them.

But for something simple like this no problem, unless this firewall has a lot more ACLs on it.
Click to expand...

Not very many ACL's at all, so i dont think the object groups will be an issue, i agree that it can turn into a jumble if you go overbaord..but this will work for what i need right now.
Thanks for the tips all! 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top