Newbie PIX question

Discussion in 'Cisco' started by shauncarter1, Jul 13, 2003.

  1. shauncarter1

    shauncarter1 Guest

    I have a question about the following configuration. I am a newbie so
    forgive my ignorance. I have the following below that should let
    users start WWW connections, with the exception of 172.16.68.20. My
    question is in the 2nd line why is it permit ip instead of tcp. I am
    assuming that withoug that permit ip every other destination would
    also be denied outbound access.

    (config)# access-list acl_in deny tcp any host 172.16.68.20 eq www
    (config)# access-list acl_in permit ip any any
    (config)# access-group acl_in in interface inside

    Thanks for any help
     
    shauncarter1, Jul 13, 2003
    #1
    1. Advertising

  2. "shauncarter1" <> write:

    > I have a question about the following configuration. I am a newbie so
    > forgive my ignorance. I have the following below that should let
    > users start WWW connections, with the exception of 172.16.68.20. My
    > question is in the 2nd line why is it permit ip instead of tcp. I am
    > assuming that withoug that permit ip every other destination would
    > also be denied outbound access.
    >
    > (config)# access-list acl_in deny tcp any host 172.16.68.20 eq www
    > (config)# access-list acl_in permit ip any any
    > (config)# access-group acl_in in interface inside


    I'm afraid that the first line is in wrong order. The Pix interprets
    that access-list command like

    deny tcp from any ip to ip address 172.16.68.20 if port is 80

    So you should turn it the other way around

    access-list acl_in deny tcp host 172.16.68.20 any eq www

    "ip" means all IP protocols (tcp, udp, icmp, what ever). If you
    want to grant only www access, then the second line should be

    access-list acl_in permit tcp any any eq www

    Please note that you should use "any" in the access-list commands
    as little as you can. It is a possible security risk.
     
    Jyri Korhonen, Jul 13, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    574
    Adrian Grigorof
    May 9, 2004
  2. No Spam
    Replies:
    3
    Views:
    4,008
    No Spam
    Jun 7, 2004
  3. Replies:
    0
    Views:
    692
  4. Lee
    Replies:
    4
    Views:
    2,141
  5. Replies:
    0
    Views:
    1,482
Loading...

Share This Page