×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access lists for ip's and ports

Unanswered Question
Apr 16th, 2003
User Badges:

I work for a local ISP and am about to put in a PIX firewall. Behind the firewall will be services that our users will need to access. If I create an access-list to a web server that also has FTP program on it, will I also need to create an access-list for the port as well?

thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
korova Wed, 04/16/2003 - 12:09
User Badges:

You should create access-lists on a per port basis. So if you open up port 80 for a web server access using an access-list, and want to be able to have FTP access to it as well, you'll need to open up the FTP port as well. If you want SSL access to it, you'll need 443 open as well.

-K-



mraisley Wed, 04/16/2003 - 12:15
User Badges:

So your saying to create access list for each port they will be using and not for the IP address of the server, just what they need to use on that server,l correct.

thank

mike


korova Wed, 04/16/2003 - 12:45
User Badges:

It really depends on the function you want and level of security.


Something like:

access-list acl_out permit ip any host 192.168.0.1

access-group acl_out in interface outside


would allow everyone to connect to a web server at 192.168.0.1. It would also allow everyone to FTP, SSL, and any other service they want to 192.168.0.1. So it, in effect, opens up all the ports to that webserver.


While that makes it very easy, it also compromises security. So instead of opening up all ports, you could do it on a port-by-port basis:


access-list acl_out permit tcp any host 192.168.0.1 eq 80

access-list acl_out permit tcp any host 192.168.0.1 eq 443

access-list acl_out permit tcp any host 192.168.0.1 eq 21

access-group acl_out in interface outside


the above would open up just 3 services to the server 192.168.0.1. (although in a reality, it will probably have a public ip)


Hope that helps,

Kelly

Actions

This Discussion