Cisco Firewall HatSecurity.com-PIX-demo1 Security Report

Nipper

Cisco Firewall Security Report

of the

HatSecurity.com-PIX-demo1 Cisco Firewall

1. About This Report
    1.1. Organisation
    1.2. Conventions
2. Security Audit
    2.1. Introduction
    2.2. Software Version
    2.3. Dictionary-based Password / Key
    2.4. Weak Password / Key
    2.5. Simple Network Management Protocol
    2.6. Access Control Lists
    2.7. Conclusions
3. Device Configuration
    3.1. Introduction
    3.2. General
    3.3. Services
    3.4. Simple Network Management Protocol
    3.5. Interfaces
    3.6. Access Control List
    3.7. Protocol Inspection
    3.8. Object Groups
    3.9. IP Address Name Mappings
4. Appendix
    4.1. Abbreviations
    4.2. Common Ports
    4.3. Logging Severity Levels
    4.4. Time Zones
    4.5. Nipper Details

1. About This Report

1.1. Organisation

This Cisco Private Internet Exchange (PIX) Firewall HatSecurity.com-PIX-demo1 report was produced by Nipper on Wednesday 2nd July 2008. The report contains the following sections:

a security audit report section that details any identified security-related issues. Each security issue includes a description of the issue, its impact, how easy it would be to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to resolve the issue;
a configuration report section that details the configuration settings;
an abbreviations appendix section that expands any abbreviations used within the report;
a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
an appendix section detailing the logging severity levels used by the logging facility;
a time zones appendix section that details a number of the most commonly used time zones;
an appendix section detailing the software used to produce this report.

1.2. Conventions

This report makes use of the text conventions outlined in Table 1.

Table 1: Report text conventions
Convention	Description
command	This text style represents the Cisco PIX Firewall command text that has to be entered literally.
string	This text style represents the Cisco PIX Firewall command text that the you have to enter.
[ ]	Used to enclose a Cisco PIX Firewall command option.
{ }	Used to enclose a Cisco PIX Firewall command requirement.
\|	Divides command option or requirement choices.

Nipper performed a security audit of the Cisco PIX Firewall HatSecurity.com-PIX-demo1 on Wednesday 2nd July 2008. This section details the findings of the security audit together with the impact and recommendations.

2.2. Software Version

Observation: It is critically important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of an attacker exploiting a known software vulnerability. Furthermore, additional security features and other functionality are normally added or extended with each software revision.

Nipper determined that the Cisco PIX Firewall HatSecurity.com-PIX-demo1 was running the out of date software PIX version 6.3(3).

Nipper identified a potential vulnerability in PIX version 6.3(3) which is described in various vulnerability databases as "Multiple remote denial of service" (CVE reference CVE-2007-0962 and Bugtraq ID 22561).It is worth noting that Nipper used the version number detailed in the device configuration to identify the potential vulnerabilities, and patches may have already been applied. Additionally, a specific device configuration may be required in order for the device to become vulnerable.

Impact: The vulnerability outlined above could allow an attacker to perform a Denial of Service (DoS) attack.

Ease: Exploit code is widely available on the Internet for known Cisco PIX Firewall vulnerabilities.

Recommendation: Nipper strongly recommends that the software be updated and patched to the latest software version. Furthermore, Nipper recommends that the current patch policy be reviewed.

2.3. Dictionary-based Password / Key

Observation: Attackers will often have dictionaries of words that contain names, places, default passwords and other common passwords. If a password or key is likely to be contained within an attacker's dictionary, they could gain access to the system.

The passwords and keys of the device HatSecurity.com-PIX-demo1 were tested against a small dictionary and one password / key was identified. The read-only Simple Network Management Protocol (SNMP) community string was public.

Impact: An attacker who was able to identify a password or key would be able to gain a level of access to the device, based on what service the password / key was used for.

Ease: Tools are available on the Internet that can perform dictionary-based password guessing against a number of network services.

Recommendation: Nipper strongly recommends that the password identified be immediately changed to something that is more difficult to guess. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.

2.4. Weak Password / Key

Observation: Strong passwords tend to contain a number of different types of character, such as uppercase and lowercase letters, numbers and punctuation characters. Weaker passwords tend not to contain a mixture of character types. Additionally, weaker passwords tend to be short in length.

Nipper identified one password / key that did not meet the minimum password complexity requirements. The read-only SNMP community string was public.

Impact: If an attacker were able to gain a password or key, either through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to HatSecurity.com-PIX-demo1.

Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.

Recommendation: Nipper strongly recommends that the weak password be immediately changed to one that is stronger. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.

2.5. Simple Network Management Protocol

Observation: Cisco PIX Firewall devices support only SNMP protocol versions 1 and 2c. Nipper determined that SNMP was configured on HatSecurity.com-PIX-demo1.

Impact: Due to the unencrypted nature of SNMP protocol versions 1 and 2c, an attacker who was able to monitor network traffic could capture device configuration settings, including authentication details.

Ease: Network packet monitoring and capture tools are widely available on the Internet and SNMP tools are included as standard with some operating systems.

Observation: On Cisco PIX Firewall devices, SNMP version 3 with auth and priv authentication cannot be configured. Therefore, Nipper recommends that, if not required, SNMP be disabled. SNMP access to HatSecurity.com-PIX-demo1 can be disabled with the following command:

no snmp-server enable

2.6. Access Control Lists

Observation: Access Control List (ACL) are sequential lists of allow and deny Access Control Entries (ACE) that specify whether network traffic should be allowed or dropped. ACLs are used to restrict access to services and network devices, preventing access to services and devices that should not be accessible.

Nipper identified 244 security-related issues with the configured ACL, these are listed in Table 2.

Table 2: Insecure Access Control Entries
ACL	Line	Description
outside_access_in	9	Allows access from a network source to dialup / 255.255.255.0. Allows access from dialup / 255.255.252.0 to a network destination. Allows access from dialup / 255.255.252.0 to any destination service.
outside_access_in	10	Allows access from a network source to intranet.
outside_access_in	11	Allows access from any source to idl.
outside_access_in	12	Allows access from any source to HASimc01.
outside_access_in	13	Allows access from any source to HASimc02.
outside_access_in	14	Allows access from any source to HASimc04.
outside_access_in	15	Allows access from any source to 22.118.128.154.
outside_access_in	16	Allows access from any source to WAS.
outside_access_in	17	Allows access from a network source to cache.
outside_access_in	18	Allows access from any source to 22.118.128.66.
outside_access_in	19	Allows access from any source to 22.118.128.66.
outside_access_in	20	Allows access from any source to 22.118.128.67.
outside_access_in	21	Allows access from any source to 22.118.128.67.
outside_access_in	22	Allows access from a network source to 22.118.128.32 / 255.255.255.240. Allows access from dialup / 255.255.255.240 to a network destination. Allows access from dialup / 255.255.255.240 to any destination service.
outside_access_in	23	Allows access from any source to internet.
outside_access_in	24	Allows access from any source to edirectory1.
outside_access_in	25	Allows access from a network source to pptp.
outside_access_in	26	Allows access from a network source to pptp. Allows access from Dailup_user / 255.255.254.0 to any destination service.
outside_access_in	27	Allows access from a network source to pptp2. Allows access from Dailup_user / 255.255.254.0 to any destination service.
outside_access_in	28	Allows access from a network source to pptp2.
outside_access_in	30	Allows access from any source to ebill.
outside_access_in	31	Allows access from a network source to inetlog02.
outside_access_in	32	Allows access from a network source to 22.118.128.78.
outside_access_in	33	Allows access from a network source to 22.118.128.78.
outside_access_in	34	Allows access from a network source to 22.118.128.77.
outside_access_in	35	Allows access from a network source to 22.118.128.77.
outside_access_in	36	Allows access from a network source to inetlog02.
outside_access_in	40	Allows access from any source to 22.118.128.20.
outside_access_in	41	Allows access from any source to 22.118.128.25.
outside_access_in	42	Allows access from any source to 22.118.128.20.
outside_access_in	43	Allows access from any source to 22.118.128.25.
outside_access_in	44	Allows access from any source to 22.118.128.19. Allows access from any address to any destination service.
outside_access_in	45	Allows access from any source to 22.118.128.21. Allows access from any address to any destination service.
outside_access_in	46	Allows access from any source to 22.118.128.19. Allows access from any address to any destination service.
outside_access_in	47	Allows access from any source to 22.118.128.21. Allows access from any address to any destination service.
outside_access_in	48	Allows access from 22.118.128.20 to any destination.
outside_access_in	49	Allows access from 22.118.128.25 to any destination.
outside_access_in	50	Allows access from 22.118.128.20 to any destination.
outside_access_in	51	Allows access from 22.118.128.25 to any destination.
outside_access_in	53	Allows access from any source to 22.118.128.152.
outside_access_in	54	Allows access from any source to 22.118.128.152.
outside_access_in	56	Allows access from any source to 22.118.128.73.
outside_access_in	57	Allows access from any source to symantec1.
outside_access_in	60	Allows access from any source to 22.118.128.95.
outside_access_in	67	Allows access from 22.138.47.100 to any destination service.
outside_access_in	68	Allows access from 22.138.47.100 to any destination service.
outside_access_in	69	Allows access from 22.118.136.198 to any destination service.
outside_access_in	70	Allows access from 22.118.136.198 to any destination service.
outside_access_in	71	Allows access from 22.26.63.45 to any destination service.
outside_access_in	72	Allows access from 22.26.63.45 to any destination service.
outside_access_in	78	Allows access from a network source to inetlog02.
outside_access_in	86	Allows access from any source to 22.118.128.92.
outside_access_in	87	Allows access from any source to 22.118.128.92.
outside_access_in	88	Allows access from any source to ebill.
outside_access_in	89	Allows access from any source to ebill.
outside_access_in	90	Allows access from any source to 22.118.128.110.
outside_access_in	91	Allows access from any source to 22.118.128.110.
outside_access_in	92	Allows access from any source to 22.118.128.91.
outside_access_in	93	Allows access from any source to 22.118.128.91.
outside_access_in	94	Allows access from scr2160_d to any destination service.
outside_access_in	95	Allows access from scr2160_d to any destination service.
outside_access_in	97	Allows access from 22.118.136.54 to any destination service.
outside_access_in	98	Allows access from 22.118.136.54 to any destination service.
outside_access_in	99	Allows access from 22.118.136.198 to any destination service.
outside_access_in	100	Allows access from 22.118.136.198 to any destination service.
outside_access_in	101	Allows access from 22.118.133.140 to any destination service.
outside_access_in	102	Allows access from 22.118.133.140 to any destination service.
outside_access_in	103	Allows access from 22.118.133.133 to any destination service.
outside_access_in	104	Allows access from 22.118.133.133 to any destination service.
outside_access_in	105	Allows access from ABCNetP to any destination service.
outside_access_in	106	Allows access from ABCNetP to any destination service.
outside_access_in	107	Allows access from 22.118.133.137 to any destination service.
outside_access_in	108	Allows access from 22.118.133.137 to any destination service.
outside_access_in	113	Allows access from any source to cache1-out.
outside_access_in	114	Allows access from any source to cache2-out.
outside_access_in	116	Allows access from scr2160 to any destination service.
outside_access_in	118	Allows access from 22.118.128.226 to any destination service.
outside_access_in	119	Allows access from 22.118.128.225 to any destination service.
outside_access_in	121	Allows access from any source to 22.118.128.24.
outside_access_in	122	Allows access from any source to 22.118.128.24.
outside_access_in	123	Allows access from any source to exchange.
outside_access_in	126	Allows access from any source to 22.118.128.110.
outside_access_in	137	Allows access from any source to Ayma.
outside_access_in	138	Allows access from intranet to any destination.
outside_access_in	139	Allows access from intranet to any destination.
outside_access_in	140	Allows access from any source to 22.118.128.116.
outside_access_in	143	Allows access from any source to intranet.
outside_access_in	144	Allows access from any source to intranet.
outside_access_in	145	Allows access from any source to 22.118.128.26.
outside_access_in	148	Allows access from any source to 22.118.128.101. Allows access from any address to any destination service.
outside_access_in	149	Allows access from any source to 22.118.128.101. Allows access from any address to any destination service.
outside_access_in	150	Allows access from any source to 22.118.128.101.
outside_access_in	155	Allows access from any source to 22.118.128.102. Allows access from any address to any destination service.
outside_access_in	156	Allows access from 22.118.128.102 to any destination. Allows access from 22.118.128.102 to any destination service.
inside_access_in	1	Allows access from any source to any address. Allows access from any address to any destination. Allows access from any address to any destination service.
inside_access_in	2	Allows access from DNS2 to any destination.
inside_access_in	3	Allows access from DNS2 to any destination.
inside_access_in	4	Allows access from DNS1 to any destination.
inside_access_in	5	Allows access from DNS1 to any destination.
inside_access_in	6	Allows access from WAS to any destination. Allows access from WAS to any destination service.
inside_access_in	7	Allows access from WAP to any destination. Allows access from WAP to any destination service.
inside_access_in	8	Allows access from 22.118.128.66 to any destination.
inside_access_in	10	Allows access from 22.118.128.66 to any destination.
inside_access_in	11	Allows access from 22.118.128.67 to any destination.
inside_access_in	12	Allows access from 22.118.128.67 to any destination.
inside_access_in	13	Allows access from HASimc01 to any destination.
inside_access_in	14	Allows access from HASimc02 to any destination.
inside_access_in	15	Allows access from HASimc04 to any destination.
inside_access_in	16	Allows access from 22.118.128.154 to any destination.
inside_access_in	19	Allows access from wireless-BB to any destination. Allows access from wireless-BB to any destination service.
inside_access_in	20	Allows access from pptp to any destination.
inside_access_in	21	Allows access from pptp to any destination. Allows access from pptp to any destination service.
inside_access_in	22	Allows access from pptp2 to any destination.
inside_access_in	23	Allows access from pptp2 to any destination. Allows access from pptp2 to any destination service.
inside_access_in	24	Allows access from inetlog02 to any destination. Allows access from inetlog02 to any destination service.
inside_access_in	25	Allows access from cache2-out to any destination.
inside_access_in	26	Allows access from cache1-out to any destination.
inside_access_in	27	Allows access from cache1-out to any destination.
inside_access_in	28	Allows access from cache2-out to any destination.
inside_access_in	31	Allows access from Ahme to any destination service.
inside_access_in	32	Allows access from any source to 22.118.128.20.
inside_access_in	33	Allows access from any source to 22.118.128.20.
inside_access_in	34	Allows access from any source to 22.118.128.25.
inside_access_in	35	Allows access from any source to 22.118.128.25.
inside_access_in	36	Allows access from 22.118.128.20 to any destination.
inside_access_in	37	Allows access from 22.118.128.25 to any destination.
inside_access_in	38	Allows access from 22.118.128.25 to any destination.
inside_access_in	39	Allows access from 22.118.128.20 to any destination.
inside_access_in	47	Allows access from 22.118.128.76 to any destination.
inside_access_in	48	Allows access from 22.118.128.76 to any destination.
inside_access_in	49	Allows access from 22.118.128.76 to any destination.
inside_access_in	50	Allows access from 22.118.128.73 to any destination.
inside_access_in	51	Allows access from symantec1 to any destination.
inside_access_in	60	Allows access from 22.118.128.68 to any destination service.
inside_access_in	61	Allows access from cache1-out to any destination service.
inside_access_in	62	Allows access from 22.118.128.68 to any destination service.
inside_access_in	63	Allows access from cache1-out to any destination service.
inside_access_in	68	Allows access from 22.118.128.158 to any destination service.
inside_access_in	83	Allows access from 22.118.128.162 to any destination service.
inside_access_in	86	Allows access from 22.118.128.162 to any destination service.
inside_access_in	100	Allows access from 22.118.128.164 to any destination service.
inside_access_in	101	Allows access from 22.118.128.164 to any destination service.
inside_access_in	102	Allows access from 22.118.128.91 to any destination.
inside_access_in	103	Allows access from 22.118.128.91 to any destination.
inside_access_in	105	Allows access from 22.118.128.164 to any destination service.
inside_access_in	106	Allows access from 22.118.128.164 to any destination service.
inside_access_in	107	Allows access from cache1-out to any destination.
inside_access_in	108	Allows access from cache2-out to any destination.
inside_access_in	109	Allows access from cache1-out to any destination.
inside_access_in	110	Allows access from cache2-out to any destination.
inside_access_in	111	Allows access from cache1-out to any destination.
inside_access_in	112	Allows access from cache2-out to any destination.
inside_access_in	113	Allows access from cache1-out to any destination.
inside_access_in	114	Allows access from cache2-out to any destination.
inside_access_in	115	Allows access from cache1-out to any destination.
inside_access_in	116	Allows access from cache2-out to any destination.
inside_access_in	117	Allows access from cache1-out to any destination.
inside_access_in	118	Allows access from cache1-out to any destination.
inside_access_in	119	Allows access from cache1-out to any destination.
inside_access_in	120	Allows access from cache2-out to any destination.
inside_access_in	121	Allows access from cache2-out to any destination.
inside_access_in	122	Allows access from cache2-out to any destination.
inside_access_in	126	Allows access from 22.118.128.170 to any destination.
inside_access_in	127	Allows access from 22.118.128.163 to any destination.
inside_access_in	128	Allows access from 22.118.128.163 to any destination.
inside_access_in	130	Allows access from 22.118.128.164 to any destination service.
inside_access_in	131	Allows access from 22.118.128.164 to any destination service.
inside_access_in	132	Allows access from 22.118.128.164 to any destination service.
inside_access_in	136	Allows access from a network source to 22.118.128.22. Allows access from 172.20.10.8 / 255.255.255.252 to any destination service.
inside_access_in	137	Allows access from a network source to 22.118.128.21. Allows access from 172.20.10.8 / 255.255.255.252 to any destination service.
inside_access_in	138	Allows access from a network source to 22.118.128.22.
inside_access_in	139	Allows access from a network source to 22.118.128.22.
inside_access_in	140	Allows access from a network source to 22.118.128.21.
inside_access_in	141	Allows access from a network source to 22.118.128.21.
inside_access_in	151	Allows access from cache1-out to any destination.
inside_access_in	152	Allows access from cache2-out to any destination.
inside_access_in	157	Allows access from a network source to escr-4463_d.
inside_access_in	158	Allows access from a network source to escr-4463_d.
inside_access_in	159	Allows access from escr-4463_d to any destination.
inside_access_in	160	Allows access from escr-4463_d to any destination.
inside_access_in	169	Allows access from 10.33.18.160 to a network destination.
inside_access_in	177	Allows access from escr5723_s to a network destination.
inside_access_in	180	Allows access from any source to 22.118.128.110.
inside_access_in	182	Allows access from any source to 22.118.128.110.
inside_access_in	183	Allows access from 10.32.8.90 to any destination. Allows access from 10.32.8.90 to any destination service.
inside_access_in	184	Allows access from 10.32.8.94 to any destination. Allows access from 10.32.8.94 to any destination service.
inside_access_in	193	Allows access from escr8063_d to any destination service.
inside_access_in	194	Allows access from escr8063_d to any destination service.
inside_access_in	195	Allows access from escr8063_s to any destination service.
inside_access_in	196	Allows access from escr8063_s to any destination service.
inside_access_in	197	Allows access from a network source to 22.118.128.24.
inside_access_in	198	Allows access from 22.118.128.102 to any destination.
inside_access_in	199	Allows access from 22.118.128.102 to any destination.
inside_access_in	200	Allows access from a network source to 22.118.128.24.
inside_access_in	201	Allows access from 10.245.1.5 to any destination service.
inside_access_in	220	Allows access from Ayma to any destination.
inside_access_in	225	Allows access from 172.20.239.7 to any destination.
inside_access_in	226	Allows access from 172.20.239.7 to any destination.
inside_access_in	227	Allows access from any source to 172.20.239.7.
inside_access_in	228	Allows access from any source to intranet.
inside_access_in	229	Allows access from any source to intranet.
inside_access_in	230	Allows access from a network source to 22.118.154.29.
inside_access_in	231	Allows access from any source to 172.20.239.7.
inside_access_in	238	Allows access from 22.118.128.101 to any destination. Allows access from 22.118.128.101 to any destination service.
inside_access_in	239	Allows access from 22.118.128.101 to any destination. Allows access from 22.118.128.101 to any destination service.
inside_access_in	240	Allows access from intranet to any destination.
inside_access_in	241	Allows access from 22.118.128.101 to any destination.
inside_access_in	242	Allows access from intranet to any destination.
inside_access_in	244	Allows access from any source to 22.118.128.102. Allows access from any address to any destination service.
inside_access_in	245	Allows access from 22.118.128.102 to any destination. Allows access from 22.118.128.102 to any destination service.
inside_access_in	250	Allows access from 22.118.128.186 to any destination service.
inside_access_in	251	Allows access from 10.32.9.210 to any destination service.
inside_access_in	252	Allows access from escr9332_s to any destination.
inside_access_in	253	Allows access from 193.110.54.70 to any destination service.

Impact: If ACEs are not sufficiently restrictive, an attacker may be able to access services or network devices that should not be accessible. Furthermore, an attacker who had compromised a device could install a backdoor which could listen on a network port that was not filtered.

Ease: N/A

Recommendation: Nipper recommends that the ACLs be reviewed and, where possible, modified to ensure that:

ACE do not allow access from any source;
ACE do not allow access from entire source networks;
ACE do not allow access to any destination;
ACE do not allow access to entire destination networks;
ACE do not allow access to any destination port;
ACE log denied access;
disabled ACE are removed;
ACL end with a deny all and log.

However, in certain circumstances, such as a public web server, a more relaxed configuration may be required to allow any host to access specific hosts and services.

2.7. Conclusions

Nipper performed a security audit of the Cisco PIX Firewall device HatSecurity.com-PIX-demo1 on Wednesday 2nd July 2008 and identified five security-related issues. Nipper determined that:

the software version was out of date;
dictionary-based passwords / keys were in use;
weak passwords / keys were identified;
clear-text remote administration was enabled using SNMP;
insecure ACL were configured.

3. Device Configuration

3.1. Introduction

This section details the configuration settings of the Cisco PIX Firewall device HatSecurity.com-PIX-demo1.

3.2. General

Table 3: General device settings
Description	Setting
Hostname	HatSecurity.com-PIX-demo1
Domain Name	HatSecurity.com
PIX Version	6.3(3)
Transparent Firewall	No
Flood Guard	Enabled

3.3. Services

Table 4: Device services
Service	Status
SNMP Server	Enabled
HTTPS Server	Disabled

3.4. Simple Network Management Protocol

SNMP is used to assist network administrators in monitoring and managing a wide variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are both secured with a community string and authenticate and transmit network packets without any form of encryption. SNMP version 3 provides several levels of authentication and encryption. The most basic level provides a similar protection to that of the earlier protocol versions. However, SNMP version 3 can be configured to provide encrypted authentication (auth) and secured further with support for encrypted data communications (priv). However, Cisco PIX Firewall currently only support SNMP versions 1 and 2.

Table 5: General SNMP service configuration
Description	Setting
SNMP Server	Enabled
UDP Port	161
Community String	public
Contact
Location

Table 6: SNMP traps
Type	Trap
snmp	authentication
snmp	linkup
snmp	linkdown
snmp	coldstart

3.5. Interfaces

Table 7: Interfaces
Interface	Name	Shutdown	Security	uRPF
gb-ethernet0	intf2	Yes	10	No
gb-ethernet1	intf3	Yes	15	No
ethernet0	outside	No	0	No
ethernet1	inside	No	100	No
ethernet2	intf4	Yes	20	No
ethernet3	intf5	Yes	25	No
ethernet4	CWS_DMZ	No	50	No
ethernet5	management	No	50	No

3.6. Access Control List

A Cisco ACL is a sequential list of apply or deny ACEs that a Cisco device will apply to network traffic. The Cisco device will check network traffic against the ACL and the first ACE match will determine whether the packet is accepted or rejected. If the Cisco device does not have an ACE that applies then the packet is denied.

Newer versions of Cisco firewall devices have two different types of ACL, standard and extended. Standard ACL are typically used to secure Open Shortest Path First (OSPF) routes, whilst extended ACL are used for all other network filtering.

Table 8: General ACL settings
Description	Setting
Alert Interval	300 seconds
Maximum Deny Flows	4096

Table 9: ACL outside_access_in
Line	Permission	Protocol	Source	Source Port	Destination	Destination Port
------ Temporary Rules ------
------ END of Temporary Rules ------
1	Deny	udp	Any	Any	Any	nameserver
2	Deny	tcp	Any	Any	Any	42
3	Deny	tcp	Any	Any	Any	5554
4	Deny	tcp	Any	Any	Any	9996
5	Deny	udp	Any	4000	Any	Any
6	Deny	ip	22.118.100.78	Any	Any	Any
7	Deny	udp	Any	Any	Any	1434
8	Deny	tcp	Any	Any	Any	6129
9	Permit	icmp	dialup / 255.255.252.0	Any	dialup / 255.255.255.0	Any
10	Permit	tcp	Dailup_user / 255.255.254.0	Any	intranet	www
11	Permit	tcp	Any	Any	idl	www
12	Permit	tcp	Any	Any	HASimc01	smtp
13	Permit	tcp	Any	Any	HASimc02	smtp
14	Permit	tcp	Any	Any	HASimc04	smtp
15	Permit	tcp	Any	Any	22.118.128.154	smtp
16	Permit	tcp	Any	Any	WAS	ftp
17	Permit	tcp	Dailup_user / 255.255.254.0	Any	cache	8080
18	Permit	tcp	Any	Any	22.118.128.66	domain
19	Permit	udp	Any	Any	22.118.128.66	domain
20	Permit	tcp	Any	Any	22.118.128.67	domain
21	Permit	udp	Any	Any	22.118.128.67	domain
22	Permit	icmp	dialup / 255.255.255.240	Any	22.118.128.32 / 255.255.255.240	Any
23	Permit	tcp	Any	Any	internet	www
24	Permit	tcp	Any	Any	edirectory1	www
25	Permit	tcp	Dailup_user / 255.255.254.0	Any	pptp	pptp
26	Permit	gre	Dailup_user / 255.255.254.0	Any	pptp	Any
27	Permit	gre	Dailup_user / 255.255.254.0	Any	pptp2	Any
28	Permit	tcp	Dailup_user / 255.255.254.0	Any	pptp2	pptp
29	Permit	tcp	ABCNet	Any	intranet	www
30	Permit	tcp	Any	Any	ebill	www
31	Permit	udp	dialup / 255.255.255.0	Any	inetlog02	snmp
32	Permit	tcp	dialup / 255.255.252.0	Any	22.118.128.78	domain
33	Permit	udp	dialup / 255.255.252.0	Any	22.118.128.78	domain
34	Permit	tcp	dialup / 255.255.252.0	Any	22.118.128.77	domain
35	Permit	udp	dialup / 255.255.252.0	Any	22.118.128.77	domain
36	Permit	udp	dialup / 255.255.255.0	Any	inetlog02	snmptrap
37	Permit	tcp	escr4466_s	Any	escr4466_d	1645 - 1646
38	Permit	udp	escr4466_s	Any	escr4466_d	radius - radius-acct
39	Permit	udp	22.118.128.225	Any	22.118.128.67	radius-acct
40	Permit	tcp	Any	Any	22.118.128.20	www
41	Permit	tcp	Any	Any	22.118.128.25	www
42	Permit	tcp	Any	Any	22.118.128.20	https
43	Permit	tcp	Any	Any	22.118.128.25	https
44	Permit	icmp	Any	Any	22.118.128.19	Any
45	Permit	icmp	Any	Any	22.118.128.21	Any
46	Permit	icmp	Any	Any	22.118.128.19	Any
47	Permit	icmp	Any	Any	22.118.128.21	Any
48	Permit	tcp	22.118.128.20	Any	Any	www
49	Permit	tcp	22.118.128.25	Any	Any	www
50	Permit	tcp	22.118.128.20	Any	Any	https
51	Permit	tcp	22.118.128.25	Any	Any	https
52	Permit	tcp	ABCNet	Any	BSC	8080
53	Permit	tcp	Any	Any	22.118.128.152	www
54	Permit	tcp	Any	Any	22.118.128.152	https
55	Permit	udp	22.118.128.225	Any	22.118.128.67	radius
56	Permit	tcp	Any	Any	22.118.128.73	smtp
57	Permit	tcp	Any	Any	symantec1	smtp
58	Permit	tcp	171.68.227.106	Any	cisco-tac	telnet
59	Permit	tcp	22.118.128.225	Any	cisco-tac	telnet
60	Permit	tcp	Any	Any	22.118.128.95	www
61	Permit	tcp	ipass	Any	22.118.128.158	577
62	Permit	udp	scr792_s	Any	22.118.128.66	radius
63	Permit	udp	scr792_s	Any	22.118.128.67	radius
64	Permit	tcp	172.30.14.130	Any	cache	8080 - 8081
65	Permit	tcp	172.20.19.2	Any	cache	8080 - 8081
66	Permit	tcp	195.149.45.5	Any	22.118.128.68	telnet
67	Permit	icmp	22.138.47.100	Any	22.118.128.68	Any
68	Permit	icmp	22.138.47.100	Any	cache1-out	Any
69	Permit	ip	22.118.136.198	Any	22.118.128.68	Any
70	Permit	ip	22.118.136.198	Any	cache1-out	Any
71	Permit	ip	22.26.63.45	Any	22.118.128.68	Any
72	Permit	ip	22.26.63.45	Any	cache1-out	Any
73	Permit	udp	22.118.128.225	Any	22.118.128.66	radius - radius-acct
74	Permit	udp	22.118.128.225	Any	22.118.128.67	radius - radius-acct
75	Permit	tcp	64.104.205.63	Any	cisco-tac	telnet
76	Permit	tcp	ebill	Any	172.20.238.77	sqlnet
77	Permit	udp	ebill	Any	172.20.238.77	1521
78	Permit	udp	22.118.128.224 / 255.255.255.240	Any	inetlog02	syslog
79	Permit	tcp	22.247.15.77	Any	22.118.128.169	ssh
80	Permit	tcp	22.247.15.77	Any	22.118.128.168	ssh
81	Permit	udp	22.118.128.226	Any	22.118.128.66	radius
82	Permit	udp	22.118.128.226	Any	22.118.128.66	radius-acct
83	Deny	ip	22.234.153.202	Any	Any	Any
84	Permit	udp	22.118.128.226	Any	22.118.128.67	radius
85	Permit	udp	22.118.128.226	Any	22.118.128.67	radius-acct
86	Permit	tcp	Any	Any	22.118.128.92	81
87	Permit	tcp	Any	Any	22.118.128.92	449
88	Permit	tcp	Any	Any	ebill	81
89	Permit	tcp	Any	Any	ebill	449
90	Permit	tcp	Any	Any	22.118.128.110	https
91	Permit	tcp	Any	Any	22.118.128.110	www
92	Permit	tcp	Any	Any	22.118.128.91	www
93	Permit	tcp	Any	Any	22.118.128.91	https
94	Permit	icmp	scr2160_d	Any	22.118.128.164	Any
95	Permit	icmp	scr2160_d	Any	22.118.128.164	Any
96	Deny	ip	26.136.173.161	Any	Any	Any
97	Permit	icmp	22.118.136.54	Any	22.118.128.164	Any
98	Permit	icmp	22.118.136.54	Any	22.118.128.164	Any
99	Permit	icmp	22.118.136.198	Any	22.118.128.164	Any
100	Permit	icmp	22.118.136.198	Any	22.118.128.164	Any
101	Permit	icmp	22.118.133.140	Any	22.118.128.164	Any
102	Permit	icmp	22.118.133.140	Any	22.118.128.164	Any
103	Permit	icmp	22.118.133.133	Any	22.118.128.164	Any
104	Permit	icmp	22.118.133.133	Any	22.118.128.164	Any
105	Permit	icmp	ABCNetP	Any	22.118.128.164	Any
106	Permit	icmp	ABCNetP	Any	22.118.128.164	Any
107	Permit	icmp	22.118.133.137	Any	22.118.128.164	Any
108	Permit	icmp	22.118.133.137	Any	22.118.128.164	Any
109	Permit	tcp	22.247.15.77	Any	22.118.128.168	telnet
110	Permit	tcp	22.247.15.77	Any	22.118.128.168	ftp
111	Permit	tcp	22.247.15.77	Any	22.118.128.169	telnet
112	Permit	tcp	22.247.15.77	Any	22.118.128.169	ftp
113	Permit	udp	Any	Any	cache1-out	6970 - 7170
114	Permit	udp	Any	Any	cache2-out	6970 - 7170
115	Permit	tcp	scr05-01-1685_s	Any	scr05-01-1685_d	scr05-01-1685_p
116	Permit	icmp	scr2160	Any	22.118.128.164	Any
117	Permit	udp	22.118.128.226	Any	22.118.128.185	2055
118	Permit	ip	22.118.128.226	Any	22.118.128.185	Any
119	Permit	ip	22.118.128.225	Any	22.118.128.185	Any
120	Permit	tcp	22.135.137.194	Any	22.135.137.194	ftp-data
121	Permit	udp	Any	Any	22.118.128.24	www
122	Permit	tcp	Any	Any	22.118.128.24	www
123	Permit	tcp	Any	Any	exchange	https
124	Permit	tcp	escr-4466_s1	Any	escr-4466_d	1645 - 1646
125	Permit	udp	escr-4466_s1	Any	escr-4466_d	radius - radius-acct
126	Permit	tcp	Any	Any	22.118.128.110	11001
127	Permit	tcp	172.20.10.10	Any	escr7069_d	escr7069_p
128	Permit	udp	172.20.10.10	Any	escr7069_d	escr7069_p1
129	Permit	tcp	symantec3	Any	escr7069_d	escr7069_p
130	Permit	udp	symantec3	Any	escr7069_d	escr7069_p1
131	Permit	tcp	escr7069_d	Any	172.20.10.10	escr7069_p
132	Permit	udp	escr7069_d	Any	172.20.10.10	escr7069_p1
133	Permit	tcp	22.118.128.189	Any	22.118.133.92	ftp
134	Permit	tcp	escr7069_d	Any	symantec3	escr7069_p
135	Permit	udp	escr7069_d	Any	symantec3	escr7069_p1
136	Permit	tcp	22.118.128.188	Any	22.118.154.29	www
137	Permit	tcp	Any	Any	Ayma	https
138	Permit	tcp	intranet	Any	Any	escr8793_p1
139	Permit	udp	intranet	Any	Any	escr8793_p3
140	Permit	tcp	Any	Any	22.118.128.116	https
141	Permit	tcp	22.118.129.253	Any	symantec3	1645 - 1656
142	Permit	tcp	22.118.129.253	Any	symantec4	1645 - 1656
143	Permit	udp	Any	Any	intranet	escr8931_p2
144	Permit	tcp	Any	Any	intranet	escr8931_p1
145	Permit	tcp	Any	Any	22.118.128.26	https
146	Permit	udp	escr8942_d	Any	10.33.16.12	636
147	Permit	tcp	escr8942_d	Any	10.33.16.12	ldaps
148	Permit	udp	Any	Any	22.118.128.101	Any
149	Permit	tcp	Any	Any	22.118.128.101	Any
150	Permit	tcp	Any	Any	22.118.128.101	smtp
151	Permit	udp	10.33.16.12	Any	escr8942_d	636
152	Permit	tcp	10.33.16.12	Any	escr8942_d	63
153	Permit	tcp	escr8784_s	Any	escr8784_d	ldaps
154	Permit	udp	escr8784_s	Any	escr8784_d	636
155	Permit	ip	Any	Any	22.118.128.102	Any
156	Permit	ip	22.118.128.102	Any	Any	Any
157	Deny	ip	Any	Any	Any	Any

Table 10: ACL inside_access_in
Line	Permission	Protocol	Source	Source Port	Destination	Destination Port
------ Temporary Rules ------
------ END of Temporary Rules ------
1	Permit	icmp	Any	Any	Any	Any
2	Permit	udp	DNS2	Any	Any	domain
3	Permit	tcp	DNS2	Any	Any	domain
4	Permit	tcp	DNS1	Any	Any	domain
5	Permit	udp	DNS1	Any	Any	domain
6	Permit	ip	WAS	Any	Any	Any
7	Permit	ip	WAP	Any	Any	Any
8	Permit	tcp	22.118.128.66	Any	Any	domain
9	Permit	tcp	22.118.128.145	Any	ABCNetP	8080
10	Permit	udp	22.118.128.66	Any	Any	domain
11	Permit	tcp	22.118.128.67	Any	Any	domain
12	Permit	udp	22.118.128.67	Any	Any	domain
13	Permit	tcp	HASimc01	Any	Any	smtp
14	Permit	tcp	HASimc02	Any	Any	smtp
15	Permit	tcp	HASimc04	Any	Any	smtp
16	Permit	tcp	22.118.128.154	Any	Any	smtp
17	Permit	tcp	22.118.128.145	Any	22.118.133.140	8080
18	Permit	tcp	22.118.128.143	Any	ABCNetP	8080
19	Permit	ip	wireless-BB	Any	Any	Any
20	Permit	tcp	pptp	Any	Any	pptp
21	Permit	gre	pptp	Any	Any	Any
22	Permit	tcp	pptp2	Any	Any	pptp
23	Permit	gre	pptp2	Any	Any	Any
24	Permit	ip	inetlog02	Any	Any	Any
25	Permit	tcp	cache2-out	Any	Any	8080
26	Permit	tcp	cache1-out	Any	Any	8080
27	Permit	tcp	cache1-out	Any	Any	ftp
28	Permit	tcp	cache2-out	Any	Any	ftp
29	Permit	tcp	IntGroupHost	Any	ftp-eng.cisco	ftp
30	Permit	tcp	22.118.128.139	Any	ftp-eng.cisco	ftp
31	Permit	ip	Ahme	Any	22.118.128.225	Any
32	Permit	tcp	Any	Any	22.118.128.20	www
33	Permit	tcp	Any	Any	22.118.128.20	https
34	Permit	tcp	Any	Any	22.118.128.25	https
35	Permit	tcp	Any	Any	22.118.128.25	www
36	Permit	tcp	22.118.128.20	Any	Any	https
37	Permit	tcp	22.118.128.25	Any	Any	https
38	Permit	tcp	22.118.128.25	Any	Any	www
39	Permit	tcp	22.118.128.20	Any	Any	www
40	Permit	tcp	22.118.128.136	Any	ftp.sun.co.uk	ftp
41	Permit	tcp	22.118.128.136	Any	ftp.hostnet.cz	ftp
42	Permit	tcp	22.118.128.149	Any	ftp.sun.co.uk	ftp
43	Permit	tcp	22.118.128.149	Any	ftp.hostnet.cz	ftp
44	Permit	tcp	22.118.128.151	Any	ftp.sun.co.uk	ftp
45	Permit	tcp	22.118.128.151	Any	ftp.hostnet.cz	ftp
46	Permit	tcp	22.118.128.153	Any	Cisco_FTP	ftp
47	Permit	tcp	22.118.128.76	Any	Any	ftp
48	Permit	tcp	22.118.128.76	Any	Any	8080
49	Permit	tcp	22.118.128.76	Any	Any	www
50	Permit	tcp	22.118.128.73	Any	Any	smtp
51	Permit	tcp	symantec1	Any	Any	smtp
52	Permit	tcp	22.118.128.155	Any	195.229.49.177	https
53	Permit	tcp	22.118.128.155	Any	195.229.49.177	8080
54	Permit	tcp	22.118.128.193	Any	22.12.169.135	64020 - 64021
55	Permit	tcp	22.118.128.194	Any	22.12.169.135	64020 - 64021
56	Permit	tcp	22.118.128.157	Any	62.149.71.137	ftp
57	Permit	tcp	22.118.128.157	Any	192.100.121.12	8080
58	Permit	tcp	22.118.128.157	Any	192.100.121.12	citrix-ica
59	Permit	udp	22.118.128.157	Any	192.100.121.12	1604
60	Permit	icmp	22.118.128.68	Any	22.138.47.100	Any
61	Permit	icmp	cache1-out	Any	22.138.47.100	Any
62	Permit	udp	22.118.128.68	Any	22.138.47.100	Any
63	Permit	udp	cache1-out	Any	22.138.47.100	Any
64	Permit	tcp	IntGroupHost	Any	192.168.219.53	https
65	Permit	tcp	IntGroupHost	Any	192.135.250.12	https
66	Permit	tcp	IntGroupHost	Any	64.103.36.134	https
67	Permit	tcp	IntGroupHost	Any	192.135.250.12	ftp
68	Permit	ip	22.118.128.158	Any	13.86.133.55	Any
69	Permit	tcp	10.32.88.210	Any	22.162.134.90	9009
70	Permit	tcp	22.118.128.100	Any	22.138.47.100	8080
71	Permit	tcp	22.118.128.155	Any	192.229.49.177	8080
72	Permit	tcp	22.118.128.155	Any	192.229.49.177	https
73	Permit	tcp	8.2.250.250	Any	22.118.128.68	telnet
74	Permit	udp	8.2.250.250	Any	22.118.128.68	23
75	Permit	tcp	8.2.250.250	Any	22.118.128.68	8081
76	Permit	udp	8.2.250.250	Any	22.118.128.68	8081
77	Permit	tcp	8.2.250.250	Any	22.118.128.69	telnet
78	Permit	udp	8.2.250.250	Any	22.118.128.69	23
79	Permit	tcp	8.2.250.250	Any	22.118.128.69	8081
80	Permit	udp	8.2.250.250	Any	22.118.128.69	8081
81	Permit	tcp	172.20.238.77	Any	ebill	sqlnet
82	Permit	udp	172.20.238.77	Any	ebill	1521
83	Permit	esp	22.118.128.162	Any	SCR1588-87_d	Any
84	Permit	udp	22.118.128.162	Any	SCR1588-87_d	isakmp
85	Permit	udp	22.118.128.162	Any	SCR1588-87_d	10000
86	Permit	ip	22.118.128.162	Any	192.245.235.140	Any
87	Permit	tcp	22.118.128.165	Any	192.6.126.144	https
88	Permit	tcp	22.118.128.166	Any	62.149.71.137	ftp
89	Permit	tcp	22.118.128.143	Any	64.94.50.84	ftp
90	Permit	tcp	22.118.128.164	Any	192.170.19.51	ftp
91	Deny	ip	10.32.15.235	Any	Any	Any
92	Permit	tcp	22.118.128.226	Any	22.118.128.66	1645
93	Permit	tcp	22.118.128.226	Any	22.118.128.66	1646
94	Permit	tcp	22.118.128.226	Any	22.118.128.67	1646
95	Permit	tcp	22.118.128.226	Any	22.118.128.67	1645
96	Permit	tcp	22.118.128.163	Any	22.118.133.133	8080
97	Permit	tcp	22.118.128.163	Any	22.118.133.137	8080
98	Permit	tcp	22.118.128.163	Any	ABCNetP	8080
99	Permit	tcp	22.118.128.163	Any	22.118.133.140	8080
100	Permit	icmp	22.118.128.164	Any	scr2160_d	Any
101	Permit	icmp	22.118.128.164	Any	scr2160_d	Any
102	Permit	tcp	22.118.128.91	Any	Any	www
103	Permit	tcp	22.118.128.91	Any	Any	https
104	Permit	tcp	22.118.128.108	Any	207.46.197.119	www
105	Permit	icmp	22.118.128.164	Any	scr2160_d	Any
106	Permit	icmp	22.118.128.164	Any	scr2160_d	Any
107	Permit	udp	cache1-out	Any	Any	2000 - 2001
108	Permit	udp	cache2-out	Any	Any	2000 - 2001
109	Permit	udp	cache1-out	Any	Any	5005
110	Permit	udp	cache2-out	Any	Any	5005
111	Permit	udp	cache1-out	Any	Any	5000
112	Permit	udp	cache2-out	Any	Any	5000
113	Permit	udp	cache1-out	Any	Any	1755
114	Permit	udp	cache2-out	Any	Any	1755
115	Permit	udp	cache1-out	Any	Any	1024
116	Permit	udp	cache2-out	Any	Any	1024
117	Permit	tcp	cache1-out	Any	Any	www
118	Permit	tcp	cache1-out	Any	Any	1755
119	Permit	tcp	cache1-out	Any	Any	554
120	Permit	tcp	cache2-out	Any	Any	554
121	Permit	tcp	cache2-out	Any	Any	1755
122	Permit	tcp	cache2-out	Any	Any	www
123	Permit	tcp	scr05-01-1581_s	Any	22.118.128.91	scr05-01-1581_p
124	Permit	tcp	22.118.128.182	Any	22.119.64.11	ftp
125	Permit	tcp	22.118.128.182	Any	22.93.192.102	ftp
126	Permit	tcp	22.118.128.170	Any	Any	9008 - 9009
127	Permit	tcp	22.118.128.163	Any	Any	9008
128	Permit	tcp	22.118.128.163	Any	Any	9009
129	Permit	tcp	22.118.128.163	Any	escr1214_d	9006
130	Permit	icmp	22.118.128.164	Any	scr2160	Any
131	Permit	icmp	22.118.128.164	Any	scr2160	Any
132	Permit	icmp	22.118.128.164	Any	scr2160	Any
133	Permit	udp	22.118.128.164	Any	scr2160	snmp - snmptrap
134	Permit	udp	22.118.128.164	Any	scr2160	1050 - 1075
135	Permit	udp	22.118.128.185	Any	22.118.128.226	snmp
136	Permit	icmp	172.20.10.8 / 255.255.255.252	Any	22.118.128.22	Any
137	Permit	icmp	172.20.10.8 / 255.255.255.252	Any	22.118.128.21	Any
138	Permit	tcp	172.20.10.8 / 255.255.255.252	Any	22.118.128.22	161 - 162
139	Permit	tcp	172.20.10.8 / 255.255.255.252	Any	22.118.128.22	telnet
140	Permit	tcp	172.20.10.8 / 255.255.255.252	Any	22.118.128.21	telnet
141	Permit	tcp	172.20.10.8 / 255.255.255.252	Any	22.118.128.21	161 - 162
142	Permit	udp	escr2129_s	Any	escr2129_d	snmp
143	Permit	udp	22.118.128.164	Any	22.118.128.21	snmp
144	Permit	tcp	escr2689_s	Any	escr2689_d	https
145	Permit	udp	22.118.128.164	Any	22.118.128.22	snmp
146	Permit	tcp	escr2812_s	Any	escr2812_d	escr2812_p
147	Permit	tcp	escr2812_d	Any	escr2812_s	escr2812_p
148	Permit	tcp	22.118.133.156	Any	22.93.192.22	ftp
149	Permit	tcp	22.118.128.156	Any	22.93.192.22	ftp
150	Permit	tcp	escr-3243_s	Any	22.118.128.24	www
151	Permit	tcp	cache1-out	Any	Any	https
152	Permit	tcp	cache2-out	Any	Any	https
153	Permit	tcp	22.118.128.159	Any	12.151.162.110	https
154	Permit	tcp	22.118.128.167	Any	12.151.162.110	https
155	Permit	tcp	22.118.128.176	Any	12.151.162.110	https
156	Permit	tcp	12.151.162.110	Any	22.118.128.159	55012
157	Permit	tcp	escr-4463_s	Any	escr-4463_d	domain
158	Permit	udp	escr-4463_s	Any	escr-4463_d	domain
159	Permit	tcp	escr-4463_d	Any	Any	domain
160	Permit	udp	escr-4463_d	Any	Any	domain
161	Permit	tcp	escr-4466_s	Any	escr-4466_d	2002 - 2010
162	Permit	tcp	escr-4466_s1	Any	escr-4466_d	1645 - 1646
163	Permit	udp	escr-4466_s1	Any	escr-4466_d	radius - radius-acct
164	Permit	udp	escr-4466_s	Any	escr-4466_d	2002 - 2010
165	Permit	udp	escr-4466_d	Any	escr-4466_d1	389
166	Permit	tcp	escr-4466_d	Any	escr-4466_d1	ldap
167	Permit	tcp	escr4979_s	Any	12.151.162.162	https
168	Permit	tcp	escr4979_s	Any	12.151.162.110	https
169	Permit	tcp	10.33.18.160	Any	22.118.128.64 / 255.255.255.192	escr5723_p
170	Permit	tcp	escr5723_s	Any	cache2-out	ftp
171	Permit	tcp	escr5723_s	Any	cache1-out	ftp
172	Permit	tcp	22.118.128.96	Any	22.135.137.194	ftp
173	Permit	tcp	escr5723_s	Any	cache2-out	ssh
174	Permit	tcp	escr5723_s	Any	cache1-out	telnet
175	Permit	tcp	escr5723_s	Any	cache1-out	8080
176	Permit	tcp	escr6337_s	Any	172.20.39.195	7777
177	Permit	tcp	escr5723_s	Any	22.118.128.64 / 255.255.255.192	escr5723_p
178	Permit	tcp	escr7540_s	Any	escr7540_d	escr7540_p
179	Permit	tcp	22.118.129.23	Any	62.149.71.1	ftp-data - ftp
180	Permit	tcp	Any	Any	22.118.128.110	11001
181	Permit	tcp	escr6970_s	Any	62.149.71.55	escr6970_p
182	Permit	udp	Any	Any	22.118.128.110	11001
183	Permit	ip	10.32.8.90	Any	Any	Any
184	Permit	ip	10.32.8.94	Any	Any	Any
185	Permit	tcp	symantec3	Any	escr7069_d	escr7069_p
186	Permit	udp	symantec3	Any	escr7069_d	escr7069_p1
187	Permit	tcp	22.32.88.210	Any	escr7197_d	escr7197_p
188	Permit	tcp	escr7765_s	Any	escr7765_d	escr7765_p
189	Permit	tcp	22.118.128.83	Any	10.162.14.200	escr7880_p
190	Permit	tcp	22.118.128.84	Any	10.162.14.200	escr7880_p
191	Permit	tcp	webmail	Any	10.162.14.200	escr7880_p
192	Permit	tcp	22.118.128.187	Any	13.130.50.253	5151
193	Permit	icmp	escr8063_d	Any	escr8063_s	Any
194	Permit	icmp	escr8063_d	Any	escr8063_s	Any
195	Permit	icmp	escr8063_s	Any	escr8063_d	Any
196	Permit	icmp	escr8063_s	Any	escr8063_d	Any
197	Permit	udp	172.0.0.0 / 255.0.0.0	Any	22.118.128.24	www
198	Permit	udp	22.118.128.102	Any	Any	escr8271_p
199	Permit	tcp	22.118.128.102	Any	Any	escr8271_p
200	Permit	tcp	172.0.0.0 / 255.0.0.0	Any	22.118.128.24	www
201	Permit	icmp	10.245.1.5	Any	22.118.128.102	Any
202	Permit	tcp	10.32.2.71	Any	22.118.128.102	161
203	Permit	tcp	10.32.2.71	Any	22.118.128.102	162
204	Permit	tcp	10.32.2.72	Any	22.118.128.102	161
205	Permit	tcp	10.32.2.72	Any	22.118.128.102	162
206	Permit	tcp	172.20.12.13	Any	22.118.128.102	www
207	Permit	tcp	172.20.12.13	Any	22.118.128.102	10198
208	Permit	tcp	172.20.12.13	Any	22.118.128.102	10319
209	Permit	tcp	22.118.128.102	Any	10.32.0.71	161
210	Permit	tcp	22.118.128.102	Any	10.32.0.71	162
211	Permit	tcp	22.118.128.102	Any	10.32.0.72	161
212	Permit	tcp	22.118.128.102	Any	10.32.0.72	162
213	Permit	tcp	22.118.128.102	Any	172.20.12.13	www
214	Permit	tcp	22.118.128.102	Any	172.20.12.13	10198
215	Permit	tcp	22.118.128.102	Any	172.20.12.13	10319
216	Permit	tcp	12.151.162.162	Any	22.118.129.41	55011 - 55012
217	Permit	tcp	12.151.162.162	Any	escr8241_d	55011 - 55012
218	Permit	tcp	escr8384_s	Any	172.20.39.195	7777
219	Permit	tcp	22.118.128.188	Any	22.118.154.29	www
220	Permit	tcp	Ayma	Any	Any	https
221	Permit	tcp	10.255.255.67	Any	Ayma	57001
222	Permit	tcp	10.255.255.69	Any	Ayma	57001
223	Permit	tcp	symantec3	Any	22.118.129.253	1645 - 1656
224	Permit	tcp	symantec4	Any	22.118.129.253	1645 - 1656
225	Permit	tcp	172.20.239.7	Any	Any	escr8764_p
226	Permit	udp	172.20.239.7	Any	Any	escr8764_p1
227	Permit	udp	Any	Any	172.20.239.7	escr8764_p1
228	Permit	udp	Any	Any	intranet	escr8793_p3
229	Permit	tcp	Any	Any	intranet	escr8793_p1
230	Permit	tcp	escr8740_s	Any	22.118.154.29	www
231	Permit	tcp	Any	Any	172.20.239.7	escr8764_p
232	Permit	tcp	10.33.7.223	Any	13.130.50.253	5151
233	Permit	tcp	escr8784_s	Any	escr8784_d	626
234	Permit	udp	escr8784_s	Any	escr8784_d	626
235	Permit	tcp	escr8855_s	Any	symantec4	5555
236	Permit	udp	escr8855_s	Any	symantec4	5555
237	Permit	udp	escr8784_s	Any	escr8784_d	636
238	Permit	udp	22.118.128.101	Any	Any	Any
239	Permit	tcp	22.118.128.101	Any	Any	Any
240	Permit	udp	intranet	Any	Any	escr8931_p2
241	Permit	tcp	22.118.128.101	Any	Any	smtp
242	Permit	tcp	intranet	Any	Any	escr8931_p1
243	Permit	tcp	escr8784_s	Any	escr8784_d	ldaps
244	Permit	ip	Any	Any	22.118.128.102	Any
245	Permit	ip	22.118.128.102	Any	Any	Any
246	Permit	udp	symantec4	Any	escr9020_d	5555
247	Permit	tcp	22.118.128.186	Any	193.110.54.70	47
248	Permit	tcp	22.118.128.186	Any	193.110.54.70	pptp
249	Permit	tcp	symantec4	Any	escr9020_d	5555
250	Permit	ip	22.118.128.186	Any	193.110.54.70	Any
251	Permit	gre	10.32.9.210	Any	193.110.54.70	Any
252	Permit	tcp	escr9332_s	Any	Any	www
253	Permit	gre	193.110.54.70	Any	10.32.9.210	Any
254	Deny	ip	Any	Any	Any	Any

3.7. Protocol Inspection

Cisco firewall devices are capable of inspecting protocol traffic such as Domain Name System (DNS), HTTP and Simple Mail Transfer Protocol (SMTP). This allows traffic to be filtered based on the protocol and can prevent a number of attacks. For example, the SMTP filter can prevent certain SMTP commands from being executed.

Table 11: Protocols inspected
Protocol	Inspect	Option
dns	Yes	maximum-length 512
ftp	Yes	21
h323	Yes	h225 1720
h323	Yes	ras 1718-1719
http	Yes	80
ils	Yes	389
pptp	Yes	1723
rsh	Yes	514
rtsp	Yes	554
sip	Yes	5060
sip	Yes	udp 5060
skinny	Yes	2000
smtp	Yes	25
sqlnet	Yes	1521
tftp	Yes	69

3.8. Object Groups

Cisco object groups can be used to group items such as IP addresses, services and protocols. Object groups can be used with any Cisco security appliance command and the command will be effective for all members of the group, this can significantly simplify the devices configuration. Furthermore, object groups can be members or other object groups. There are different types of object group:

Services;
Protocols;
Networks;
ICMP Types.

Table 12: Service object group Internet-MIS
Object Type	Object
Port	500
Port	www
Port	51
Port	50
Port	443

Table 13: Network object group ipass
Object Type	Object
Host	26.239.102.125
Host	26.239.111.125
Host	26.239.108.125
Host	26.239.110.125
Host	26.239.105.125
Host	26.239.104.125
Host	26.239.101.125
Host	26.239.99.125
Host	26.239.98.125
Host	26.239.109.125
Host	26.239.103.125
Host	26.239.107.125
Host	8.22.202.21

Table 14: Network object group scr792_s
Object Type	Object
Host	7.66.127.242
Host	7.68.127.242
Host	7.70.127.242
Host	7.66.127.243
Host	7.68.127.243
Host	7.73.127.243

Table 15: Network object group SCR1588-87_d
Object Type	Object
Host	192.245.235.140
Host	192.245.235.141
Host	192.245.235.142
Host	13.190.149.130
Host	13.190.149.131
Host	13.190.149.132

Table 16: Network object group tada_d
Object Type	Object
Host	22.162.134.90
Host	22.162.130.91
Host	22.162.150.90

Table 17: Network object group scr2160_d
Object Type	Object
Host	22.118.136.198
Host	22.118.133.137
Host	ABCNetP
Host	22.118.133.140
Host	22.118.133.133
Host	22.118.136.54

Table 18: Service object group scr2160_p
Object Type	Object
Port	0
Port	8
Port	17
Port	18

Table 19: Network object group scr1444_d
Object Type	Object
Host	13.192.128.141
Host	13.132.59.15

Table 20: Network object group scr05-01-1685_d
Object Type	Object
Host	10.100.1.220
Host	10.102.1.223
Host	10.104.1.223
Host	10.106.1.224
Host	10.108.1.4
Host	10.110.1.222
Host	10.112.1.222
Host	10.114.1.222
Host	10.160.11.220
Host	10.162.1.223
Host	10.164.1.222
Host	10.166.1.224
Host	10.168.1.222
Host	10.32.193.110
Host	10.32.2.100
Host	10.32.2.103
Host	10.32.2.107
Host	10.32.2.108
Host	10.32.2.110
Host	10.32.2.112
Host	10.34.18.223
Host	10.36.1.222
Host	10.38.1.221
Host	10.45.2.223
Host	10.45.20.225
Host	10.46.1.220
Host	10.96.77.12
Host	10.98.1.222
Host	172.20.237.22

Table 21: Network object group scr05-01-1685_s
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 22: Service object group scr05-01-1685_p
Object Type	Object
Port	135
Port	1024 - 65535

Table 23: Network object group scr05-01-1581_s
Object Type	Object
Host	10.32.219.30
Host	10.32.219.62

Table 24: Service object group scr05-01-1581_p
Object Type	Object
Port	www
Port	8080

Table 25: Network object group scr2160
Object Type	Object
Host	22.118.128.235
Host	22.118.128.236
Host	22.118.128.4
Host	22.118.128.5
Host	22.118.128.232
Host	22.118.128.225
Host	22.118.128.226

Table 26: Network object group exchange
Object Type	Object
Host	22.118.128.83
Host	22.118.128.84
Host	webmail

Table 27: Network object group escr2129_s
Object Type	Object
Host	172.20.10.54
Host	172.20.4.80

Table 28: Network object group escr2129_d
Object Type	Object
Host	22.118.128.21
Host	22.118.128.22
Host	22.118.128.225
Host	22.118.128.226

Table 29: Network object group escr2689_s
Object Type	Object
Host	cache2-out
Host	cache1-out

Table 30: Network object group escr2689_d
Object Type	Object
Host	22.118.133.80
Host	22.118.133.82
Host	22.118.133.92

Table 31: Network object group escr2812_s
Object Type	Object
Host	Ayma
Host	Ahme
Host	wireless-BB

Table 32: Network object group escr2812_d
Object Type	Object
Host	22.118.133.133
Host	ABCNetP
Host	22.118.133.140
Host	22.118.133.137

Table 33: Service object group escr2812_p
Object Type	Object
Port	www
Port	8080

Table 34: Network object group escr3240_d
Object Type	Object
Host	62.159.103.167
Host	62.159.103.168
Host	62.159.103.169
Host	62.159.103.170

Table 35: Service object group escr3240_p
Object Type	Object
Port	isakmp
Port	4500

Table 36: Network object group escr-3243_s
Object Type	Object
Host	22.118.128.100
Host	22.118.128.68
Host	22.118.128.69

Table 37: Network object group escr-4463_s
Object Type	Object
Host	10.32.15.12
Host	10.32.15.13
Host	10.32.15.15
Host	10.32.15.16
Host	10.32.15.17
Network	dialup / 255.255.252.0

Table 38: Network object group escr-4463_d
Object Type	Object
Host	22.118.128.77
Host	22.118.128.78

Table 39: Network object group escr-4466_s
Object Type	Object
Host	10.32.15.12
Host	10.32.15.13
Host	10.32.15.15
Host	10.32.15.16
Host	10.32.15.17

Table 40: Network object group escr-4466_s1
Object Type	Object
Host	22.118.128.225
Host	22.118.128.226

Table 41: Network object group escr-4466_d
Object Type	Object
Host	symantec3
Host	symantec4

Table 42: Network object group escr-4466_d1
Object Type	Object
Host	10.32.2.100
Host	10.32.2.102
Host	10.32.2.104
Host	10.32.2.108
Host	10.32.2.110

Table 43: Network object group escr4466_s
Object Type	Object
Host	22.118.128.225
Host	22.118.128.226

Table 44: Network object group escr4466_d
Object Type	Object
Host	symantec3
Host	symantec4

Table 45: Network object group escr4979_s
Object Type	Object
Host	22.118.128.159
Host	22.118.128.167
Host	22.118.128.176

Table 46: Network object group escr5723_s
Object Type	Object
Host	10.33.18.160
Host	10.33.18.161
Host	10.33.18.162
Host	10.33.18.163
Host	10.33.18.164
Host	10.33.18.165
Host	10.33.18.166
Host	10.33.18.167
Host	10.33.18.168
Host	10.33.18.169

Table 47: Service object group escr5723_p
Object Type	Object
Port	2000 - 2010
Port	123
Port	ftp
Port	ssh
Port	telnet
Port	3389
Port	domain
Port	www
Port	8080
Port	8081
Port	8082

Table 48: Service object group escr5723_p1
Object Type	Object
Port	2000 - 2010
Port	ntp
Port	3389
Port	domain

Table 49: Network object group escr6337_s
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 50: Network object group escr6970_s
Object Type	Object
Host	22.118.133.80
Host	22.118.133.75
Host	22.118.133.82
Host	22.118.133.92

Table 51: Service object group escr6970_p
Object Type	Object
Port	www
Port	ssh
Port	8082
Port	8181

Table 52: Network object group escr7069_d
Object Type	Object
Host	22.118.128.225
Host	22.118.128.226
Host	22.118.128.227

Table 53: Service object group escr7069_p
Object Type	Object
Port	161
Port	162
Port	2055
Port	2090

Table 54: Service object group escr7069_p1
Object Type	Object
Port	snmp
Port	snmptrap
Port	2055
Port	2090

Table 55: Network object group escr1214_d
Object Type	Object
Host	85.8.254.103
Host	85.8.254.100
Host	13.42.25.152

Table 56: Network object group escr7197_d
Object Type	Object
Host	85.8.254.100
Host	85.8.254.103
Host	22.42.25.152

Table 57: Service object group escr7197_p
Object Type	Object
Port	9006
Port	9008
Port	9009

Table 58: Service object group escr7540_p
Object Type	Object
Port	smtp
Port	pop3
Port	995
Port	www
Port	https

Table 59: Network object group escr7540_d
Object Type	Object
Host	172.20.6.219
Host	172.20.8.130
Host	22.118.128.84
Host	22.118.128.83

Table 60: Network object group escr7540_s
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 61: Network object group escr7765_s
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 62: Network object group escr7765_d
Object Type	Object
Host	10.160.10.221
Host	10.33.245.234
Host	10.96.77.220

Table 63: Service object group escr7765_p
Object Type	Object
Port	55806
Port	3389

Table 64: Network object group escr7880_s
Object Type	Object
Host	22.118.128.83
Host	22.118.128.84
Host	webmail

Table 65: Service object group escr7880_p
Object Type	Object
Port	1052
Port	4478
Port	4480
Port	135
Port	137
Port	138
Port	netbios-ssn
Port	5000
Port	5040
Port	445
Port	ldap
Port	ldaps
Port	3265
Port	3269
Port	88
Port	2264
Port	1059
Port	3600
Port	3712
Port	3775
Port	3777
Port	3864
Port	3876
Port	domain
Port	1512
Port	42
Port	123
Port	4915
Port	3389
Port	67
Port	2204
Port	smtp
Port	379
Port	691
Port	www

Table 66: Network object group escr8063_s
Object Type	Object
Host	10.250.1.142
Host	10.250.1.143
Host	10.250.1.144

Table 67: Network object group escr8063_d
Object Type	Object
Host	22.118.128.95
Host	172.20.237.44

Table 68: Service object group escr8271_p
Object Type	Object
Port	25
Port	8080

Table 69: Network object group escr8241_d
Object Type	Object
Host	22.118.128.159
Host	22.118.128.167
Host	22.118.128.176

Table 70: Network object group escr8384_s
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 71: Service object group escr8764_p
Object Type	Object
Port	ftp
Port	1414 - 1417
Port	23200 - 23201
Port	2002
Port	54549
Port	7500
Port	4315
Port	3415

Table 72: Service object group escr8764_p1
Object Type	Object
Port	21
Port	1414 - 1417
Port	23200 - 23201
Port	2002
Port	54549
Port	7500
Port	4315
Port	3415

Table 73: Network object group escr8740_s
Object Type	Object
Host	22.118.128.188
Network	172.30.96.0 / 255.255.255.0
Network	172.26.65.0 / 255.255.255.0

Table 74: Service object group escr8793_p1
Object Type	Object
Port	www
Port	3102

Table 75: Service object group escr8793_p3
Object Type	Object
Port	www
Port	3102

Table 76: Network object group escr8784_s
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 77: Network object group escr8784_d
Object Type	Object
Host	172.20.239.167
Host	172.20.4.155

Table 78: Network object group escr8855_s
Object Type	Object
Host	172.20.10.11
Host	172.20.10.8
Host	172.20.10.9

Table 79: Network object group escr8942_d
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 80: Service object group escr8931_p1
Object Type	Object
Port	www
Port	3102
Port	https

Table 81: Service object group escr8931_p2
Object Type	Object
Port	www
Port	3102
Port	443

Table 82: Network object group escr9020_d
Object Type	Object
Host	172.20.10.27
Host	172.20.10.8
Host	172.20.10.9

Table 83: Network object group escr9332_s
Object Type	Object
Host	symantec2
Host	22.118.128.76
Host	22.118.128.101
Host	22.118.128.103

Table 84: Network object group escr9313_s
Object Type	Object
Host	22.118.128.110
Host	22.118.128.111
Host	22.118.128.112

Table 85: Network object group escr9313_d
Object Type	Object
Host	10.33.17.86

Table 86: Service object group escr9313_p
Object Type	Object
Port	ldaps

Table 87: Service object group escr9313_p1
Object Type	Object
Port	636

3.9. IP Address Name Mappings

Table 88: IP address name mappings
Name	IP Address
intranet	22.118.128.100
idl	22.118.128.131
internet	22.118.128.130
Ayma	22.118.128.137
Logserver	22.118.128.71
Ahme	22.118.128.138
cache1-out	22.118.128.253
cache2-out	22.118.128.252
cache	22.118.128.70
WAS	22.118.128.144
WAP	22.118.128.161
Dailup_user	22.118.130.0
wireless-BB	22.118.128.172
ADSL	22.118.128.171
webmail	22.118.128.85
dialup	22.118.128.0
pptp	22.118.128.88
HASimc02	22.118.128.135
HASimc01	22.118.128.134
ABCNet	22.118.133.49
inetlog02	22.118.128.72
ebill	22.118.128.90
symantec1	22.118.128.74
symantec3	22.118.128.79
symantec2	22.118.128.75
symantec6	22.118.128.82
symantec5	22.118.128.81
symantec4	22.118.128.80
IntGroupHost	22.118.128.133
ftp-eng.cisco	192.168.30.33
Zen_user	22.118.128.146
Zen_company	22.113.70.130
cisco-tac	22.118.128.147
pptp2	22.118.128.87
edirectory1	22.118.128.94
HASmsg01	22.118.128.132
DNS2	22.118.128.89
DNS1	22.118.128.86
HASimc04	22.118.128.141
ftp.hostnet.cz	21.11.236.13
ftp.sun.co.uk	192.168.99.122
BSC	22.118.128.150
Cisco_FTP	192.168.219.27
ABCNetP	22.118.133.139

4. Appendix

4.1. Abbreviations

ACE	Access Control Entry
ACL	Access Control List
BID	Bugtraq ID
CVE	Common Vulnerabilities and Exposures
DNS	Domain Name System
DoS	Denial of Service
ESP	Encapsulated Security Payload
FTP	File Transfer Protocol
GRE	Generic Routing Encapsulation protocol
HTTP	HyperText Transfer Protocol
HTTPS	HyperText Transfer Protocol over SSL
ICA	Independent Computing Architecture
ICMP	Internet Control Message Protocol
IP	Internet Protocol
ISAKMP	Internet Security Association and Key Management Protocol
LDAP	Lightweight Directory Access Protocol
LDAPS	Lightweight Directory Access Protocol (SSL)
MTU	Maximum Transmission Unit
OSPF	Open Shortest Path First
PIX	Private Internet Exchange
PPTP	Point to Point Tunneling Protocol
RADIUS	Remote Authentication Dial-In User Service
SIP	Session Initiation Protocol
SNMP	Simple Network Management Protocol
SMTP	Simple Mail Transfer Protocol
SQLNet	Structured Query Language Network
SSH	Secure Shell
SSL	Secure Sockets Layer
TCP	Transmission Control Protocol
TFTP	Trivial File Transfer Protocol
UDP	User Datagram Protocol
WWW	World Wide Web

4.2. Common Ports

Table 89: Common ports
Service	Port
FTP-Data	20
FTP	21
SSH	22
Telnet	23
SMTP	25
Nameserver	42
Domain	53
TFTP	69
WWW	80
HTTP	80
SNMP	161
LDAP	389
HTTPS	443
ISAKMP	500
RSH	514
Syslog	514
LDAPS	636
Citrix-ICA	1494
SQLNet	1521
RADIUS	1645
RADIUS-Acct	1646
H323	1720
PPTP	1723

4.3. Logging Severity Levels

Table 90: Logging message severity levels
Level	Level Name	Description
0	Emergencies	System is unstable
1	Alerts	Immediate action is required
2	Critical	Critical conditions
3	Errors	Error conditions
4	Warnings	Warning conditions
5	Notifications	Significant conditions
6	Informational	Informational messages
7	Debugging	Debugging messages

4.4. Time Zones

Table 91: Common time zone acronyms
Region	Acronym	Time Zone	UTC Offset
Australia	CST	Central Standard Time	+9.5 hours
Australia	EST	Eastern Standard/Summer Time	+10 hours
Australia	WST	Western Standard Time	+8 hours
Europe	BST	British Summer Time	+1 hour
Europe	CEST	Central Europe Summer Time	+2 hours
Europe	CET	Central Europe Time	+1 hour
Europe	EEST	Eastern Europe Summer Time	+3 hours
Europe	EST	Eastern Europe Time	+2 hours
Europe	GMT	Greenwich Mean Time
Europe	IST	Irish Summer Time	+1 hour
Europe	MSK	Moscow Time	+3 hours
Europe	WEST	Western Europe Summer Time	+1 hour
Europe	WET	Western Europe Time	+1 hour
USA and Canada	ADT	Atlantic Daylight Time	-3 hours
USA and Canada	AKDT	Alaska Standard Daylight Saving Time	-8 hours
USA and Canada	AKST	Alaska Standard Time	-9 hours
USA and Canada	AST	Atlantic Standard Time	-4 hours
USA and Canada	CDT	Central Daylight Saving Time	-5 hours
USA and Canada	CST	Central Standard Time	-6 hours
USA and Canada	EDT	Eastern Daylight Time	-4 hours
USA and Canada	EST	Eastern Standard Time	-5 hours
USA and Canada	HST	Hawaiian Standard Time	-10 hours
USA and Canada	MDT	Mountain Daylight Time	-6 hours
USA and Canada	MST	Mountain Standard Time	-7 hours
USA and Canada	PDT	Pacific Daylight Time	-7 hours
USA and Canada	PST	Pacific Standard Time	-3 hours

4.5. Nipper Details

This report was generated using Nipper version 0.11.8. Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. The latest version of Nipper can be found at the following URL:

http://nipper.titania.co.uk.