Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 436
  • Last Modified:

Inside access list pix 515

Hi all

Can someone tell me how to create an access list on the inside interface on a pix 515 ?
The pix only has 2 interfaces , inside and outside
I only want to allow the following out from the lan network address of 10.0.0.0 255.255.254.0  but deny everything else


25
110
443
80
8080
msn messenger
21
ipsec/isakmp

 
0
netcentraltech
Asked:
netcentraltech
1 Solution
 
abarneslouorthoCommented:
0
 
Ron MalmsteadInformation Services ManagerCommented:
>config t

access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-list acl_out permit tcp any host {outsideIPaddress} eq 80
access-list acl_out permit tcp any host {outsideIPaddress} eq 443
access-list acl_out permit tcp any host {outsideIPaddress} eq 21
access-list acl_out permit tcp any host {outsideIPaddress} eq 110
access-list acl_out permit tcp any host {outsideIPaddress} eq 25
access-list acl_out permit tcp any host {outsideIPaddress} eq 8080
access-group acl_out in interface outside
sysopt connection permit-ipsec
0
 
Ron MalmsteadInformation Services ManagerCommented:
PS: not sure about msn messenger port
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
abarneslouorthoCommented:
0
 
lrmooreCommented:
Given that you want to restrict outgoing connections, not incomming, the acl gets applied to the inside interface:

access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq http
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 8080
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq https
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq smtp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq pop3
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq ftp-data
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq isakmp
access-list OUTBOUND permit esp 10.0.0.0 255.255.254.0 any  <== IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 4500 <== to support nat-t over IPSEC
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 53  <== don't forget DNS!
access-list OUTBOUND remark MSN Msssenger:
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any gt 5004
access-list OUTBOUND permit tcp 10.0.0.0 255.255.254.0 any eq 1863
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any eq 1503
access-list OUTBOUND permit udp 10.0.0.0 255.255.254.0 any range 6891-6900
access-group OUTBOUND in interface inside

I think that get's all of MSN Messenger, but you can watch the logs and see if any particular port is getting blocked and just add it to the list ..


 
0
 
netcentraltechAuthor Commented:
Sir
Thank you. Sorry for the delay but I have been away from my work station for the past few days.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now