Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Newbie PIX question

Reply
Thread Tools

Newbie PIX question

 
 
shauncarter1
Guest
Posts: n/a
 
      07-13-2003
I have a question about the following configuration. I am a newbie so
forgive my ignorance. I have the following below that should let
users start WWW connections, with the exception of 172.16.68.20. My
question is in the 2nd line why is it permit ip instead of tcp. I am
assuming that withoug that permit ip every other destination would
also be denied outbound access.

(config)# access-list acl_in deny tcp any host 172.16.68.20 eq www
(config)# access-list acl_in permit ip any any
(config)# access-group acl_in in interface inside

Thanks for any help
 
Reply With Quote
 
 
 
 
Jyri Korhonen
Guest
Posts: n/a
 
      07-13-2003
"shauncarter1" <(E-Mail Removed)> write:

> I have a question about the following configuration. I am a newbie so
> forgive my ignorance. I have the following below that should let
> users start WWW connections, with the exception of 172.16.68.20. My
> question is in the 2nd line why is it permit ip instead of tcp. I am
> assuming that withoug that permit ip every other destination would
> also be denied outbound access.
>
> (config)# access-list acl_in deny tcp any host 172.16.68.20 eq www
> (config)# access-list acl_in permit ip any any
> (config)# access-group acl_in in interface inside


I'm afraid that the first line is in wrong order. The Pix interprets
that access-list command like

deny tcp from any ip to ip address 172.16.68.20 if port is 80

So you should turn it the other way around

access-list acl_in deny tcp host 172.16.68.20 any eq www

"ip" means all IP protocols (tcp, udp, icmp, what ever). If you
want to grant only www access, then the second line should be

access-list acl_in permit tcp any any eq www

Please note that you should use "any" in the access-list commands
as little as you can. It is a possible security risk.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix-to-Pix and Client-to-Pix VPN AlanP Cisco 3 04-07-2004 05:06 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
vpnclient access to remote pix via pix-pix tunnel Bill F Cisco 1 11-25-2003 06:03 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments