04-16-2003 11:01 AM - edited 03-09-2019 02:56 AM
I work for a local ISP and am about to put in a PIX firewall. Behind the firewall will be services that our users will need to access. If I create an access-list to a web server that also has FTP program on it, will I also need to create an access-list for the port as well?
thanks
04-16-2003 12:09 PM
You should create access-lists on a per port basis. So if you open up port 80 for a web server access using an access-list, and want to be able to have FTP access to it as well, you'll need to open up the FTP port as well. If you want SSL access to it, you'll need 443 open as well.
-K-
04-16-2003 12:15 PM
So your saying to create access list for each port they will be using and not for the IP address of the server, just what they need to use on that server,l correct.
thank
mike
04-16-2003 12:45 PM
It really depends on the function you want and level of security.
Something like:
access-list acl_out permit ip any host 192.168.0.1
access-group acl_out in interface outside
would allow everyone to connect to a web server at 192.168.0.1. It would also allow everyone to FTP, SSL, and any other service they want to 192.168.0.1. So it, in effect, opens up all the ports to that webserver.
While that makes it very easy, it also compromises security. So instead of opening up all ports, you could do it on a port-by-port basis:
access-list acl_out permit tcp any host 192.168.0.1 eq 80
access-list acl_out permit tcp any host 192.168.0.1 eq 443
access-list acl_out permit tcp any host 192.168.0.1 eq 21
access-group acl_out in interface outside
the above would open up just 3 services to the server 192.168.0.1. (although in a reality, it will probably have a public ip)
Hope that helps,
Kelly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide