Access lists for ip's and ports

mraisley · ‎04-16-2003

I work for a local ISP and am about to put in a PIX firewall. Behind the firewall will be services that our users will need to access. If I create an access-list to a web server that also has FTP program on it, will I also need to create an access-list for the port as well?

thanks

korova · ‎04-16-2003

You should create access-lists on a per port basis. So if you open up port 80 for a web server access using an access-list, and want to be able to have FTP access to it as well, you'll need to open up the FTP port as well. If you want SSL access to it, you'll need 443 open as well.

-K-

mraisley · ‎04-16-2003

So your saying to create access list for each port they will be using and not for the IP address of the server, just what they need to use on that server,l correct.

thank

mike

korova · ‎04-16-2003

It really depends on the function you want and level of security.

Something like:

access-list acl_out permit ip any host 192.168.0.1

access-group acl_out in interface outside

would allow everyone to connect to a web server at 192.168.0.1. It would also allow everyone to FTP, SSL, and any other service they want to 192.168.0.1. So it, in effect, opens up all the ports to that webserver.

While that makes it very easy, it also compromises security. So instead of opening up all ports, you could do it on a port-by-port basis:

access-list acl_out permit tcp any host 192.168.0.1 eq 80

access-list acl_out permit tcp any host 192.168.0.1 eq 443

access-list acl_out permit tcp any host 192.168.0.1 eq 21

access-group acl_out in interface outside

the above would open up just 3 services to the server 192.168.0.1. (although in a reality, it will probably have a public ip)

Hope that helps,

Kelly