PIX 515 - Open all ports except a few

Hello. Is there a way I can open all ports to a particular IP except ports
25 and 110?
I know the command "access-list outside_in permit ip any host 209.x.y.z"
will open all ports.
I would like to open all ports to this IP except for 25 and 110. Is this
possible? Thanks.

 

access-list outside_in deny tcp any host 209.x.y.z eq 25
access-list outside_in deny tcp any host 209.x.y.z eq 110
access-list outside_in permit ip any host 209.x.y.z

 

So the deny lines have to go before permit line in the config?

 

Thanks Walter and Artie.

 

this seems just to be true for tcp?

(but i didn't really understand the origin question)

is it possible to set it like:
. order deny -> allow for host w.x.y.z
- allow all
- deny 25
- deny 10

like on many other firewalls?

Niels.

 

Any device that lets you define rule sets to control whats permitted
has a specified syntax for how you define it and coresponding
semantics for how it operates.

Some are first match wins, some are last match wins, some might allow
you to specify which way you prefer it.

Cisco tends to be in the first match wins category.

 

Correct, that will block only tcp ports 25 and 110 and will permit
everything else through (providing there is a corresponding
address translation.) I did make an assumption in my answer:
the original poster mentioned only ports "25" and "110" and did
not specify whether they meant tcp or udp, but TCP 25 and TCP 110
are *much* more common than UDP 25 or UDP 110.

Not on a PIX or ASA or under IOS: access lists on those devices
are always read top to bottom. (There are -some- aspects of the PIX
for which the order is irrelevant; those are described in the
documentation of the 'static' command.)