Newbie PIX question

Discussion in 'Cisco' started by shauncarter1, Jul 13, 2003.

  1. shauncarter1

    shauncarter1 Guest

    I have a question about the following configuration. I am a newbie so
    forgive my ignorance. I have the following below that should let
    users start WWW connections, with the exception of 172.16.68.20. My
    question is in the 2nd line why is it permit ip instead of tcp. I am
    assuming that withoug that permit ip every other destination would
    also be denied outbound access.

    (config)# access-list acl_in deny tcp any host 172.16.68.20 eq www
    (config)# access-list acl_in permit ip any any
    (config)# access-group acl_in in interface inside

    Thanks for any help
     
    shauncarter1, Jul 13, 2003
    #1
    1. Advertisements

  2. I'm afraid that the first line is in wrong order. The Pix interprets
    that access-list command like

    deny tcp from any ip to ip address 172.16.68.20 if port is 80

    So you should turn it the other way around

    access-list acl_in deny tcp host 172.16.68.20 any eq www

    "ip" means all IP protocols (tcp, udp, icmp, what ever). If you
    want to grant only www access, then the second line should be

    access-list acl_in permit tcp any any eq www

    Please note that you should use "any" in the access-list commands
    as little as you can. It is a possible security risk.
     
    Jyri Korhonen, Jul 13, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.