Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access Rule Rookie needs Help

I am a real rookie at this. I just installed a PIX 501 with Firewall version 6.34 and PDM 3.0. I am trying to setup access rules for the following: Inside IP addresses 192.168.168.20-100 deny HTTP and allow FTP, SMTP and POP3. Inside IP adresses 192.168.168.2-19 and 100-250 have full access to the web and email. Can somebody please help me?

Thanks.

1 REPLY
Bronze

Re: Access Rule Rookie needs Help

It would be much easier to set up the access-list if these IP addresses were broken up along subnet bounderies. Using your specifications, the easiest way (assuming you only want to deny HTTP, and allow everything else) would be similar to as follows:

access-list acl_inside deny tcp 192.168.168.20 255.255.255.252 any eq 80 (or HTTP) (this would cover 20-23)

access-list acl_inside deny tcp 192.168.168.24 255.255.255.248 any eq 80 (this would cover 24-31)

access-list acl_inside deny tcp 192.168.168.32 255.255.255.224 any eq 80 (this would cover 32-63)

access-list acl_inside deny tcp 192.168.168.64 255.255.255.224 any eq 80 (this would cover 64-95)

access-list acl_inside deny tcp 192.168.168.96 255.255.255.252 any eq 80 (this would cover 96-99)

access-list acl_inside deny tcp host 192.168.168.100 any eq 80 (for the final IP)

access-list acl_inside permit ip any any (to allow all other traffic, otherwise the implicit "deny all" would stop all traffic from flowing).

access-group acl_inside in interface inside (this applies the access-list to the interface. If this command is entered first, or the access-list is removed, then no traffic will flow through this interface.)

If the inside addresses were broken along subnet boundaries, the ACL would be much cleaner, and you could specify only allowing the 3 services. (assume the deny area of 192.168.168.64 255.255.255.192, for a range of 64-127)

access-list acl_inside deny tcp 192.168.168.64 255.255.255.192 any eq HTTP

access-list acl_inside permit ip any any

(If you only wanted to ALLOW the FTP, SMTP and POP3, and deny all others for this range, it would be similar to as follows)

access-list acl_inside permit tcp 192.168.168.64 255.255.255.192 any eq ftp

access-list acl_inside permit tcp 192.168.168.64 255.255.255.192 any eq smtp

access-list acl_inside permit tcp 192.168.168.64 255.255.255.192 any eq pop3 (or 110)

access-list acl_inside deny ip 192.168.168.64 255.255.255.192 any

access-list acl_inside permit ip any any.

(Hopefully not too much information?)

186
Views
0
Helpful
1
Replies