Solved

Inside access list pix 515

Posted on 2006-06-23
6
423 Views
Last Modified: 2012-05-05
Hi all

Can someone tell me how to create an access list on the inside interface on a pix 515 ?
The pix only has 2 interfaces , inside and outside
I only want to allow the following out from the lan network address of 10.0.0.0 255.255.254.0  but deny everything else


25
110
443
80
8080
msn messenger
21
ipsec/isakmp

 
0
Comment
Question by:netcentraltech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16972469
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16972691
>config t

access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-list acl_out permit tcp any host {outsideIPaddress} eq 80
access-list acl_out permit tcp any host {outsideIPaddress} eq 443
access-list acl_out permit tcp any host {outsideIPaddress} eq 21
access-list acl_out permit tcp any host {outsideIPaddress} eq 110
access-list acl_out permit tcp any host {outsideIPaddress} eq 25
access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-group acl_out in interface outside
sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16972694
PS: not sure about msn messenger port
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16972719
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 16975477
Given that you want to restrict outgoing connections, not incomming, the acl gets applied to the inside interface:

access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq http
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 8080
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq https
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq smtp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq pop3
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp-data
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq isakmp
access-list OUTBOUND permit esp 10.0.0.0 255.255.254.0 any  <== IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 4500 <== to support nat-t over IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 53  <== don't forget DNS!
access-list OUTBOUND remark MSN Msssenger:
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any gt 5004
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 1863
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 1503
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any range 6891-6900
access-group OUTBOUND in interface inside

I think that get's all of MSN Messenger, but you can watch the logs and see if any particular port is getting blocked and just add it to the list ..


 
0
 

Author Comment

by:netcentraltech
ID: 17035776
Sir
Thank you. Sorry for the delay but I have been away from my work station for the past few days.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question