Solved

Inside access list pix 515

Posted on 2006-06-23
6
419 Views
Last Modified: 2012-05-05
Hi all

Can someone tell me how to create an access list on the inside interface on a pix 515 ?
The pix only has 2 interfaces , inside and outside
I only want to allow the following out from the lan network address of 10.0.0.0 255.255.254.0  but deny everything else


25
110
443
80
8080
msn messenger
21
ipsec/isakmp

 
0
Comment
Question by:netcentraltech
6 Comments
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16972469
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16972691
>config t

access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-list acl_out permit tcp any host {outsideIPaddress} eq 80
access-list acl_out permit tcp any host {outsideIPaddress} eq 443
access-list acl_out permit tcp any host {outsideIPaddress} eq 21
access-list acl_out permit tcp any host {outsideIPaddress} eq 110
access-list acl_out permit tcp any host {outsideIPaddress} eq 25
access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-group acl_out in interface outside
sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16972694
PS: not sure about msn messenger port
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16972719
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 16975477
Given that you want to restrict outgoing connections, not incomming, the acl gets applied to the inside interface:

access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq http
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 8080
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq https
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq smtp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq pop3
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp-data
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq isakmp
access-list OUTBOUND permit esp 10.0.0.0 255.255.254.0 any  <== IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 4500 <== to support nat-t over IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 53  <== don't forget DNS!
access-list OUTBOUND remark MSN Msssenger:
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any gt 5004
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 1863
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 1503
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any range 6891-6900
access-group OUTBOUND in interface inside

I think that get's all of MSN Messenger, but you can watch the logs and see if any particular port is getting blocked and just add it to the list ..


 
0
 

Author Comment

by:netcentraltech
ID: 17035776
Sir
Thank you. Sorry for the delay but I have been away from my work station for the past few days.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ensuring effective and secure communication in the age of healthcare BYOD.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now