Solved

Inside access list pix 515

Posted on 2006-06-23
6
412 Views
Last Modified: 2012-05-05
Hi all

Can someone tell me how to create an access list on the inside interface on a pix 515 ?
The pix only has 2 interfaces , inside and outside
I only want to allow the following out from the lan network address of 10.0.0.0 255.255.254.0  but deny everything else


25
110
443
80
8080
msn messenger
21
ipsec/isakmp

 
0
Comment
Question by:netcentraltech
6 Comments
 
LVL 2

Expert Comment

by:abarneslouortho
Comment Utility
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
>config t

access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-list acl_out permit tcp any host {outsideIPaddress} eq 80
access-list acl_out permit tcp any host {outsideIPaddress} eq 443
access-list acl_out permit tcp any host {outsideIPaddress} eq 21
access-list acl_out permit tcp any host {outsideIPaddress} eq 110
access-list acl_out permit tcp any host {outsideIPaddress} eq 25
access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-group acl_out in interface outside
sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
PS: not sure about msn messenger port
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Expert Comment

by:abarneslouortho
Comment Utility
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
Comment Utility
Given that you want to restrict outgoing connections, not incomming, the acl gets applied to the inside interface:

access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq http
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 8080
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq https
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq smtp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq pop3
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp-data
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq isakmp
access-list OUTBOUND permit esp 10.0.0.0 255.255.254.0 any  <== IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 4500 <== to support nat-t over IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 53  <== don't forget DNS!
access-list OUTBOUND remark MSN Msssenger:
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any gt 5004
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 1863
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 1503
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any range 6891-6900
access-group OUTBOUND in interface inside

I think that get's all of MSN Messenger, but you can watch the logs and see if any particular port is getting blocked and just add it to the list ..


 
0
 

Author Comment

by:netcentraltech
Comment Utility
Sir
Thank you. Sorry for the delay but I have been away from my work station for the past few days.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now