PIX 515 - Open all ports except a few

Discussion in 'Cisco' started by Corbin O'Reilly, Aug 15, 2008.

  1. Hello. Is there a way I can open all ports to a particular IP except ports
    25 and 110?
    I know the command "access-list outside_in permit ip any host 209.x.y.z"
    will open all ports.
    I would like to open all ports to this IP except for 25 and 110. Is this
    possible? Thanks.
    Corbin O'Reilly, Aug 15, 2008
    #1
    1. Advertising

  2. In article <9r6pk.10938$>,
    Corbin O'Reilly <> wrote:
    >Hello. Is there a way I can open all ports to a particular IP except ports
    >25 and 110?
    >I know the command "access-list outside_in permit ip any host 209.x.y.z"
    >will open all ports.
    >I would like to open all ports to this IP except for 25 and 110. Is this
    >possible? Thanks.


    access-list outside_in deny tcp any host 209.x.y.z eq 25
    access-list outside_in deny tcp any host 209.x.y.z eq 110
    access-list outside_in permit ip any host 209.x.y.z
    Walter Roberson, Aug 15, 2008
    #2
    1. Advertising

  3. So the deny lines have to go before permit line in the config?

    "Walter Roberson" <> wrote in message
    news:WD6pk.184415$gc5.67634@pd7urf2no...
    > In article <9r6pk.10938$>,
    > Corbin O'Reilly <> wrote:
    >>Hello. Is there a way I can open all ports to a particular IP except ports
    >>25 and 110?
    >>I know the command "access-list outside_in permit ip any host 209.x.y.z"
    >>will open all ports.
    >>I would like to open all ports to this IP except for 25 and 110. Is this
    >>possible? Thanks.

    >
    > access-list outside_in deny tcp any host 209.x.y.z eq 25
    > access-list outside_in deny tcp any host 209.x.y.z eq 110
    > access-list outside_in permit ip any host 209.x.y.z
    >
    Corbin O'Reilly, Aug 15, 2008
    #3
  4. Thanks Walter and Artie.

    "Artie Lange" <> wrote in message
    news:g83pho$ndc$...
    > Corbin O'Reilly wrote:
    >> So the deny lines have to go before permit line in the config?
    >>

    >
    > Yes, ACL's are read from top to bottom....
    Corbin O'Reilly, Aug 15, 2008
    #4
  5. Walter Roberson wrote:
    > access-list outside_in deny tcp any host 209.x.y.z eq 25
    > access-list outside_in deny tcp any host 209.x.y.z eq 110
    > access-list outside_in permit ip any host 209.x.y.z

    this seems just to be true for tcp?

    (but i didn't really understand the origin question)

    is it possible to set it like:
    . order deny -> allow for host w.x.y.z
    - allow all
    - deny 25
    - deny 10

    like on many other firewalls?

    Niels.
    Niels Dettenbach, Aug 15, 2008
    #5
  6. Corbin O'Reilly

    Rod Dorman Guest

    In article <g84b8v$nja$00$-online.com>,
    Niels Dettenbach <> wrote:
    > ...
    >is it possible to set it like:
    > . order deny -> allow for host w.x.y.z
    > - allow all
    > - deny 25
    > - deny 10
    >
    >like on many other firewalls?


    Any device that lets you define rule sets to control whats permitted
    has a specified syntax for how you define it and coresponding
    semantics for how it operates.

    Some are first match wins, some are last match wins, some might allow
    you to specify which way you prefer it.

    Cisco tends to be in the first match wins category.

    --
    -- Rod --
    rodd(at)polylogics(dot)com
    Rod Dorman, Aug 15, 2008
    #6
  7. In article <g84b8v$nja$00$-online.com>,
    Niels Dettenbach <> wrote:
    >Walter Roberson wrote:
    >> access-list outside_in deny tcp any host 209.x.y.z eq 25
    >> access-list outside_in deny tcp any host 209.x.y.z eq 110
    >> access-list outside_in permit ip any host 209.x.y.z


    >this seems just to be true for tcp?


    Correct, that will block only tcp ports 25 and 110 and will permit
    everything else through (providing there is a corresponding
    address translation.) I did make an assumption in my answer:
    the original poster mentioned only ports "25" and "110" and did
    not specify whether they meant tcp or udp, but TCP 25 and TCP 110
    are *much* more common than UDP 25 or UDP 110.


    >is it possible to set it like:
    > . order deny -> allow for host w.x.y.z
    > - allow all
    > - deny 25
    > - deny 10
    >like on many other firewalls?


    Not on a PIX or ASA or under IOS: access lists on those devices
    are always read top to bottom. (There are -some- aspects of the PIX
    for which the order is irrelevant; those are described in the
    documentation of the 'static' command.)
    Walter Roberson, Aug 16, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mac Hammer
    Replies:
    5
    Views:
    926
    Jyri Korhonen
    Jun 21, 2005
  2. Replies:
    1
    Views:
    5,163
    Barry Margolin
    Aug 13, 2005
  3. Scott Townsend
    Replies:
    8
    Views:
    691
    Roman Nakhmanson
    Feb 22, 2006
  4. Replies:
    24
    Views:
    784
  5. ahmad2005

    open all ports using pix

    ahmad2005, Nov 5, 2008, in forum: Cisco
    Replies:
    4
    Views:
    1,981
    sdunn96
    Nov 8, 2008
Loading...

Share This Page