Solved

Inside access list pix 515

Posted on 2006-06-23
6
424 Views
Last Modified: 2012-05-05
Hi all

Can someone tell me how to create an access list on the inside interface on a pix 515 ?
The pix only has 2 interfaces , inside and outside
I only want to allow the following out from the lan network address of 10.0.0.0 255.255.254.0  but deny everything else


25
110
443
80
8080
msn messenger
21
ipsec/isakmp

 
0
Comment
Question by:netcentraltech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16972691
>config t

access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-list acl_out permit tcp any host {outsideIPaddress} eq 80
access-list acl_out permit tcp any host {outsideIPaddress} eq 443
access-list acl_out permit tcp any host {outsideIPaddress} eq 21
access-list acl_out permit tcp any host {outsideIPaddress} eq 110
access-list acl_out permit tcp any host {outsideIPaddress} eq 25
access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-group acl_out in interface outside
sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16972694
PS: not sure about msn messenger port
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16972719
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 16975477
Given that you want to restrict outgoing connections, not incomming, the acl gets applied to the inside interface:

access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq http
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 8080
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq https
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq smtp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq pop3
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp-data
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq isakmp
access-list OUTBOUND permit esp 10.0.0.0 255.255.254.0 any  <== IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 4500 <== to support nat-t over IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 53  <== don't forget DNS!
access-list OUTBOUND remark MSN Msssenger:
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any gt 5004
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 1863
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 1503
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any range 6891-6900
access-group OUTBOUND in interface inside

I think that get's all of MSN Messenger, but you can watch the logs and see if any particular port is getting blocked and just add it to the list ..


 
0
 

Author Comment

by:netcentraltech
ID: 17035776
Sir
Thank you. Sorry for the delay but I have been away from my work station for the past few days.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question