Solved

Port Configurations on Pix 506e

Posted on 2010-08-26
3
327 Views
Last Modified: 2012-06-27
Does anyone have any sample code that would allow me to block all ports except 80 8080 and a few others from internal users while allowing allowing My Exchange server to be the only computer on the inside to use smtp port? Thanks for any help in advance.
0
Comment
Question by:JustAnotherGeek
  • 2
3 Comments
 
LVL 10

Expert Comment

by:qbakies
ID: 33533133
So you want to block 80, 8080, and SMTP traffic leaving your network or coming into your network?
0
 
LVL 10

Accepted Solution

by:
qbakies earned 250 total points
ID: 33533419
From re-reading your question it sounds like you want to block traffic leaving your network so this will do that.  If you want it the other way around or have additional questions please ask.

Assuming your LAN is 192.168.1.0/24 and your Exchange IP is 192.168.1.100:

access-list block_traffic_out permit ip 192.168.1.0 0.0.0.0 any eq 80 <- allows traffic from entire subnet out on port 80
access-list block_traffic_out permit ip 192.168.1.0 0.0.0.0 any eq 8080 <- allows traffic from entire subnet out on port 8080
access-list block_traffic_out permit ip host 192.168.1.100 any eq 25 <- allows traffic from Exchange out on port 25
access-list block_traffic_out deny ip 192.168.1.0 0.0.0.0 any <- denies all other traffic out of your network

Apply this access-list to your inside interface:

access-group block_traffic_out in interface inside

Since ACLs are processed from the top down you will need to add additional entries to the ACL in the order you want them processed.  You should note, however, that this is an extremely rigid ACL that will kill all traffic leaving your network except if specified.
0
 

Author Comment

by:JustAnotherGeek
ID: 33534122
Hey Thanks qbakies.... That is what I am looking for. I want to allow them to access the internet using 80 and 8080 and a couple of other ports. One of the main reasons that I want to block the rest along with 25 is I inherited a Trojan that was spamming was put on several blacklist twice...I want to make sure that on port 25 traffic only leaves the exchange server... Thanks for your help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now