Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1422
Views
0
Helpful
6
Replies

access lists for web server and internet

carl_townshend
Spotlight
Spotlight

‎03-15-2006 07:46 AM - edited ‎03-03-2019 02:18 AM

if im hosting a server, do I just need an access list allowing port 80 inbound to the web server ip address, also for users browsing the internet, what access list do i need inbound wise ?

Labels:
0 Helpful
6 Replies 6

CSCO10662744_2
Level 1
Level 1

‎03-15-2006 07:50 AM

yes, you should only open the ports necessary for your servers. In your case, port 80 inbound.

By default, a Pix allows all outbound traffic. Depending what device you have (whether it's a Pix, switch, or router), the ACL config requirement may be different.

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to CSCO10662744_2

‎03-15-2006 08:12 AM

for normal internet users what do I need to let back in ? do pix's use cbac ?

0 Helpful

chris.cumbaa
Level 1
Level 1
In response to carl_townshend

‎03-15-2006 11:24 AM

If users are browsing the internet from your internal network, you don't need to allow any special ports inbound. Since you are hosting a web server, you need an access-list entry that reads like this:

access-list 101 permit tcp any interface outside eq 80

You also need a static entry:

static (in, out) tcp [outside-ip-address] 80 [server-ip-address] 80 netmask 255.255.255.255

Hope this helps

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to chris.cumbaa

‎03-16-2006 04:00 AM

so your saying on my pc at home I dont need any access lists, wouldnt this allow people to connect to my pc, surely I would need to just allow established connections ?

0 Helpful

chris.cumbaa
Level 1
Level 1
In response to carl_townshend

‎03-16-2006 05:12 AM

That is the access-list. You don't need an outbound access-list, unless you want to block certain traffic from leaving your network. Place that inbound access-list allowing port 80 on the outside interface of your PIX. I believe there's an implied deny ip any any at the end of every access-list. However, you could add in a deny ip any any to the end. Just follow that same syntax for any other ports you may want to allow through. I am assuming that your PC is behind the PIX. The PIX shouldn't block connections that are established by your PC to the internet.

Hope this helps.

Chris

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to chris.cumbaa

‎03-16-2006 05:32 AM

How does the pix know what connections are established ? does the pix use cbac for this ? and can you give me an example of the access list wheres im not hosting any servers ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents