?
Solved

Port blocking on PIX 501

Posted on 2007-09-28
8
Medium Priority
?
234 Views
Last Modified: 2010-04-09
How would I go about blocking all ports inbound and all ports except 25, 53, and 80 outbound?  Is it true that the default configuration already blocks all inbound traffic?  It seems that I heard that some of the inbound ports are actually in stealth mode by default.  What's the skinny here?
0
Comment
Question by:moodipaper
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Expert Comment

by:avilov
ID: 19979378
access-list outbound permit tcp any any eq 25
access-list outbound permit tcp any any eq 53
access-list outbound permit tcp any any eq 80
access-list outbound  deny ip any any
access-group outbound in interface out

please check the syntax I just typed it
0
 
LVL 3

Expert Comment

by:theeter
ID: 19980873
One little thing I noticed, you probably want udp 53...not tcp 53.

You could also write this into the inside interface, instead of out of the outside interface.

access-list outbound permit tcp any any eq 25
access-list outbound permit udp any any eq 53
access-list outbound permit tcp any any eq 80
access-list outbound  deny ip any any
access-group outbound in interface inside
0
 

Author Comment

by:moodipaper
ID: 19980887
What about inbound traffic?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Accepted Solution

by:
theeter earned 1600 total points
ID: 19981036
Oh yeah sorry, yes all inbound traffic is denied unless it is specifically allowed by an acl.

To be even more specific, all traffic is denied by default from lower security interface to a higher security interface, or from outside to inside.
0
 

Author Comment

by:moodipaper
ID: 19981063
Does this affect my site-to-site VPN?  Should I allow ports for that, or does it depend on what I want to move across the VPN?
0
 
LVL 9

Assisted Solution

by:avilov
avilov earned 400 total points
ID: 19981090
theeter is correct about UDP, if you are doing any zone transfers and somesuch you need to open both tcp and udp ports

access-list outbound permit tcp any any eq 25
access-list outbound permit udp any any eq 53
access-list outbound permit tcp any any eq 53
access-list outbound permit tcp any any eq 80
access-list outbound  deny ip any any
access-group outbound in interface inside
0
 
LVL 3

Expert Comment

by:theeter
ID: 19981256
That initial vpn communication is not traversing the pix, it is terminating on the outside interface. This is allowed.

For the traffic which goes across the tunnel throught the pix, the command

sysopt connection permit-ipsec

takes care of that for you, and allows all ipsec traffic to bypass acls.

0
 

Author Comment

by:moodipaper
ID: 19981496
Thanks for the crash course!  This little box is less and less of a mystery to me thanks to people like you.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 11 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question