501 PIX "deny any any" "allow any any" Any Anybody?

Discussion in 'Cisco' started by Networking Student, Nov 16, 2006.

  1. Hello,

    I just started HyperTerminal and came to a blinking cursor.

    I pressed enter on my keyboard and came to a command prompt -
    pixfirewall>

    >From this point, step by step if possible, how might I configure the

    PIX to deny outbound traffic from using a particular port, 27374 for
    example?

    How might I also configure the PIX to allow traffic to exit a certain
    port, 80 for example?

    1. Type "enable" (without the quotes).
    2. Enter password.
    3. Type "configure terminal " (maybe? I don't know)
    4........ (Now I REALLY don't know)

    The above steps 1,2,3,4 are the format I would most appreciate if
    anyone knows what I mean.

    How anyone could NOT know what I mean is beyond me, lol, but some
    people seem to enjoy deliberately confusing me. For example I ask how
    to protect outgoing traffic in a case where one inadvertently picks up
    a keylogger and a response is "Don't install keyloggers...."

    Anyway, a busy friend of mine took a few minutes to suggest that I
    figure out the deny any any and allow any any commands. I don't know if
    this is the way or if there is a better way and either way I was not
    able to figure out the "any any" command yet.

    I prefer to use the command line from HyperTerminal if possible but

    If anybody out there could possibly help me by spelling out, step by
    step from the initial pixfirewall> prompt, how I can configure to deny
    traffic exiting port 27374 (a common Trojan port) and also allow
    traffic to exit port 80 I would GREATLY appreciate the time it takes
    you.

    Thanks

    PS: To those that have helped me so far, Walter, BK, Bolger, DrSpock..
    What was over my head is now becoming clearer and I truly appreciate
    your help. Thank you so much.
    Networking Student, Nov 16, 2006
    #1
    1. Advertising

  2. Networking Student

    vreyesii Guest

    Well the first thing is that you must get into enable mode and enter
    the password. Next you must get into configuration terminal mode. By
    entering either (config t or config terminal). To answer your question
    to deny outbound traffic from using a particular port you can do the
    following.

    access-list deny_outbound deny tcp any any eq 27374

    The access list above will deny any host from behind the firewall from
    using port 27374 to send data to any destination. The "deny_outbound"
    that you see above is just the name of the access-list. Also, after you
    enter this access-list in the PIX. You must enter "clear xlate" and
    reload the access-group by entering. Then save your changes by entering
    (write mem or write memory)

    "access-group deny_outbound in interface inside" However, in this case
    the access-group is called deny_outbound.

    >>also allow traffic to exit port 80 I would GREATLY appreciate the time it takes

    you.

    >From your post you say that you want to allow traffic to exit port 80.

    However, by default the PIX allows all traffic which is outbound but
    denies all traffic which is inbound.

    Victor


    On Nov 16, 3:40 pm, "Networking Student" <> wrote:
    > Hello,
    >
    > I just started HyperTerminal and came to a blinking cursor.
    >
    > I pressed enter on my keyboard and came to a command prompt -
    > pixfirewall>
    >
    > >From this point, step by step if possible, how might I configure thePIX to deny outbound traffic from using a particular port, 27374 for

    > example?
    >
    > How might I also configure the PIX to allow traffic to exit a certain
    > port, 80 for example?
    >
    > 1. Type "enable" (without the quotes).
    > 2. Enter password.
    > 3. Type "configure terminal " (maybe? I don't know)
    > 4........ (Now I REALLY don't know)
    >
    > The above steps 1,2,3,4 are the format I would most appreciate if
    > anyone knows what I mean.
    >
    > How anyone could NOT know what I mean is beyond me, lol, but some
    > people seem to enjoy deliberately confusing me. For example I ask how
    > to protect outgoing traffic in a case where one inadvertently picks up
    > a keylogger and a response is "Don't install keyloggers...."
    >
    > Anyway, a busy friend of mine took a few minutes to suggest that I
    > figure out the deny any any and allow any any commands. I don't know if
    > this is the way or if there is a better way and either way I was not
    > able to figure out the "any any" command yet.
    >
    > I prefer to use the command line from HyperTerminal if possible but
    >
    > If anybody out there could possibly help me by spelling out, step by
    > step from the initial pixfirewall> prompt, how I can configure to deny
    > traffic exiting port 27374 (a common Trojan port) and also allow
    > traffic to exit port 80 I would GREATLY appreciate the time it takes
    > you.
    >
    > Thanks
    >
    > PS: To those that have helped me so far, Walter, BK, Bolger, DrSpock..
    > What was over my head is now becoming clearer and I truly appreciate
    > your help. Thank you so much.
    vreyesii, Nov 16, 2006
    #2
    1. Advertising

  3. Networking Student

    vreyesii Guest

    Well the first thing is that you must get into enable mode and enter
    the password. Next you must get into configuration terminal mode. By
    entering either (config t or config terminal). To answer your question
    to deny outbound traffic from using a particular port you can do the
    following.

    access-list deny_outbound deny tcp any any eq 27374

    The access list above will deny any host from behind the firewall from
    using port 27374 to send data to any destination. The "deny_outbound"
    that you see above is just the name of the access-list. Also, after you
    enter this access-list in the PIX. You must enter "clear xlate" and
    reload the access-group by entering. Then save your changes by entering
    (write mem or write memory)

    "access-group deny_outbound in interface inside" However, in this case
    the access-group is called deny_outbound.

    >>also allow traffic to exit port 80 I would GREATLY appreciate the time it takes

    you.

    >From your post you say that you want to allow traffic to exit port 80.

    However, by default the PIX allows all traffic which is outbound but
    denies all traffic which is inbound.

    Victor


    On Nov 16, 3:40 pm, "Networking Student" <> wrote:
    > Hello,
    >
    > I just started HyperTerminal and came to a blinking cursor.
    >
    > I pressed enter on my keyboard and came to a command prompt -
    > pixfirewall>
    >
    > >From this point, step by step if possible, how might I configure thePIX to deny outbound traffic from using a particular port, 27374 for

    > example?
    >
    > How might I also configure the PIX to allow traffic to exit a certain
    > port, 80 for example?
    >
    > 1. Type "enable" (without the quotes).
    > 2. Enter password.
    > 3. Type "configure terminal " (maybe? I don't know)
    > 4........ (Now I REALLY don't know)
    >
    > The above steps 1,2,3,4 are the format I would most appreciate if
    > anyone knows what I mean.
    >
    > How anyone could NOT know what I mean is beyond me, lol, but some
    > people seem to enjoy deliberately confusing me. For example I ask how
    > to protect outgoing traffic in a case where one inadvertently picks up
    > a keylogger and a response is "Don't install keyloggers...."
    >
    > Anyway, a busy friend of mine took a few minutes to suggest that I
    > figure out the deny any any and allow any any commands. I don't know if
    > this is the way or if there is a better way and either way I was not
    > able to figure out the "any any" command yet.
    >
    > I prefer to use the command line from HyperTerminal if possible but
    >
    > If anybody out there could possibly help me by spelling out, step by
    > step from the initial pixfirewall> prompt, how I can configure to deny
    > traffic exiting port 27374 (a common Trojan port) and also allow
    > traffic to exit port 80 I would GREATLY appreciate the time it takes
    > you.
    >
    > Thanks
    >
    > PS: To those that have helped me so far, Walter, BK, Bolger, DrSpock..
    > What was over my head is now becoming clearer and I truly appreciate
    > your help. Thank you so much.
    vreyesii, Nov 16, 2006
    #3
  4. Networking Student

    chris Guest

    "vreyesii" <> wrote in message
    news:...
    > Well the first thing is that you must get into enable mode and enter
    > the password. Next you must get into configuration terminal mode. By
    > entering either (config t or config terminal). To answer your question
    > to deny outbound traffic from using a particular port you can do the
    > following.
    >
    > access-list deny_outbound deny tcp any any eq 27374
    >
    > The access list above will deny any host from behind the firewall from
    > using port 27374 to send data to any destination. The "deny_outbound"
    > that you see above is just the name of the access-list. Also, after you
    > enter this access-list in the PIX. You must enter "clear xlate" and
    > reload the access-group by entering. Then save your changes by entering
    > (write mem or write memory)
    >
    > "access-group deny_outbound in interface inside" However, in this case
    > the access-group is called deny_outbound.
    >
    >>>also allow traffic to exit port 80 I would GREATLY appreciate the time it
    >>>takes

    > you.
    >
    >>From your post you say that you want to allow traffic to exit port 80.

    > However, by default the PIX allows all traffic which is outbound but
    > denies all traffic which is inbound.


    Until you apply an access list to the inside interface. As you've told him
    to have an acl on the inside interface (access-group deny_outbound in
    interface inside) but that acl has only one line (access-list deny_outbound
    deny tcp any any eq 27374) you have now blocked ALL traffic as the default
    at the end of any acl is 'deny any any'.

    Chris.





    >
    > Victor
    >
    >
    > On Nov 16, 3:40 pm, "Networking Student" <> wrote:
    >> Hello,
    >>
    >> I just started HyperTerminal and came to a blinking cursor.
    >>
    >> I pressed enter on my keyboard and came to a command prompt -
    >> pixfirewall>
    >>
    >> >From this point, step by step if possible, how might I configure thePIX
    >> >to deny outbound traffic from using a particular port, 27374 for

    >> example?
    >>
    >> How might I also configure the PIX to allow traffic to exit a certain
    >> port, 80 for example?
    >>
    >> 1. Type "enable" (without the quotes).
    >> 2. Enter password.
    >> 3. Type "configure terminal " (maybe? I don't know)
    >> 4........ (Now I REALLY don't know)
    >>
    >> The above steps 1,2,3,4 are the format I would most appreciate if
    >> anyone knows what I mean.
    >>
    >> How anyone could NOT know what I mean is beyond me, lol, but some
    >> people seem to enjoy deliberately confusing me. For example I ask how
    >> to protect outgoing traffic in a case where one inadvertently picks up
    >> a keylogger and a response is "Don't install keyloggers...."
    >>
    >> Anyway, a busy friend of mine took a few minutes to suggest that I
    >> figure out the deny any any and allow any any commands. I don't know if
    >> this is the way or if there is a better way and either way I was not
    >> able to figure out the "any any" command yet.
    >>
    >> I prefer to use the command line from HyperTerminal if possible but
    >>
    >> If anybody out there could possibly help me by spelling out, step by
    >> step from the initial pixfirewall> prompt, how I can configure to deny
    >> traffic exiting port 27374 (a common Trojan port) and also allow
    >> traffic to exit port 80 I would GREATLY appreciate the time it takes
    >> you.
    >>
    >> Thanks
    >>
    >> PS: To those that have helped me so far, Walter, BK, Bolger, DrSpock..
    >> What was over my head is now becoming clearer and I truly appreciate
    >> your help. Thank you so much.

    >
    chris, Nov 16, 2006
    #4
  5. Networking Student

    vreyesii Guest

    Oh yes, thank you for reminding me. As Chris pointed out there is an
    implicit "deny all" at the end of any access list you have to have to
    add "access-list deny_outbound permit ip any any" to allow everything
    else. You have to make sure that you add it below the deny statement
    because if not the deny statement will not have an effect.

    Victor

    On Nov 16, 4:46 pm, "chris" <> wrote:
    > "vreyesii" <> wrote in messagenews:...
    >
    >
    >
    > > Well the first thing is that you must get into enable mode and enter
    > > the password. Next you must get into configuration terminal mode. By
    > > entering either (config t or config terminal). To answer your question
    > > to deny outbound traffic from using a particular port you can do the
    > > following.

    >
    > > access-list deny_outbound deny tcp any any eq 27374

    >
    > > The access list above will deny any host from behind the firewall from
    > > using port 27374 to send data to any destination. The "deny_outbound"
    > > that you see above is just the name of the access-list. Also, after you
    > > enter this access-list in the PIX. You must enter "clear xlate" and
    > > reload the access-group by entering. Then save your changes by entering
    > > (write mem or write memory)

    >
    > > "access-group deny_outbound in interface inside" However, in this case
    > > the access-group is called deny_outbound.

    >
    > >>>also allow traffic to exit port 80 I would GREATLY appreciate the time it
    > >>>takes

    > > you.

    >
    > >>From your post you say that you want to allow traffic to exit port 80.

    > > However, by default the PIX allows all traffic which is outbound but
    > > denies all traffic which is inbound.Until you apply an access list to the inside interface. As you've told him

    > to have an acl on the inside interface (access-group deny_outbound in
    > interface inside) but that acl has only one line (access-list deny_outbound
    > deny tcp any any eq 27374) you have now blocked ALL traffic as the default
    > at the end of any acl is 'deny any any'.
    >
    > Chris.
    >
    >
    >
    > > Victor

    >
    > > On Nov 16, 3:40 pm, "Networking Student" <> wrote:
    > >> Hello,

    >
    > >> I just started HyperTerminal and came to a blinking cursor.

    >
    > >> I pressed enter on my keyboard and came to a command prompt -
    > >> pixfirewall>

    >
    > >> >From this point, step by step if possible, how might I configure thePIX
    > >> >to deny outbound traffic from using a particular port, 27374 for
    > >> example?

    >
    > >> How might I also configure the PIX to allow traffic to exit a certain
    > >> port, 80 for example?

    >
    > >> 1. Type "enable" (without the quotes).
    > >> 2. Enter password.
    > >> 3. Type "configure terminal " (maybe? I don't know)
    > >> 4........ (Now I REALLY don't know)

    >
    > >> The above steps 1,2,3,4 are the format I would most appreciate if
    > >> anyone knows what I mean.

    >
    > >> How anyone could NOT know what I mean is beyond me, lol, but some
    > >> people seem to enjoy deliberately confusing me. For example I ask how
    > >> to protect outgoing traffic in a case where one inadvertently picks up
    > >> a keylogger and a response is "Don't install keyloggers...."

    >
    > >> Anyway, a busy friend of mine took a few minutes to suggest that I
    > >> figure out the deny any any and allow any any commands. I don't know if
    > >> this is the way or if there is a better way and either way I was not
    > >> able to figure out the "any any" command yet.

    >
    > >> I prefer to use the command line from HyperTerminal if possible but

    >
    > >> If anybody out there could possibly help me by spelling out, step by
    > >> step from the initial pixfirewall> prompt, how I can configure to deny
    > >> traffic exiting port 27374 (a common Trojan port) and also allow
    > >> traffic to exit port 80 I would GREATLY appreciate the time it takes
    > >> you.

    >
    > >> Thanks

    >
    > >> PS: To those that have helped me so far, Walter, BK, Bolger, DrSpock..
    > >> What was over my head is now becoming clearer and I truly appreciate
    > >> your help. Thank you so much.
    vreyesii, Nov 16, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew J Instone-Cowie

    Cisco VPN through a PIX 501 to another PIX?

    Andrew J Instone-Cowie, Jan 20, 2004, in forum: Cisco
    Replies:
    5
    Views:
    4,133
    Andrew J Instone-Cowie
    Jan 22, 2004
  2. Andre
    Replies:
    7
    Views:
    711
    Andre
    Feb 20, 2005
  3. Replies:
    2
    Views:
    1,813
  4. lmnop
    Replies:
    3
    Views:
    564
    Toolman Tim
    Feb 14, 2005
  5. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    644
    Walter Roberson
    May 20, 2006
Loading...

Share This Page