I am a real rookie at this. I just installed a PIX 501 with Firewall version 6.34 and PDM 3.0. I am trying to setup access rules for the following: Inside IP addresses 192.168.168.20-100 deny HTTP and allow FTP, SMTP and POP3. Inside IP adresses 192.168.168.2-19 and 100-250 have full access to the web and email. Can somebody please help me?
It would be much easier to set up the access-list if these IP addresses were broken up along subnet bounderies. Using your specifications, the easiest way (assuming you only want to deny HTTP, and allow everything else) would be similar to as follows:
access-list acl_inside deny tcp 192.168.168.20 255.255.255.252 any eq 80 (or HTTP) (this would cover 20-23)
access-list acl_inside deny tcp 192.168.168.24 255.255.255.248 any eq 80 (this would cover 24-31)
access-list acl_inside deny tcp 192.168.168.32 255.255.255.224 any eq 80 (this would cover 32-63)
access-list acl_inside deny tcp 192.168.168.64 255.255.255.224 any eq 80 (this would cover 64-95)
access-list acl_inside deny tcp 192.168.168.96 255.255.255.252 any eq 80 (this would cover 96-99)
access-list acl_inside deny tcp host 192.168.168.100 any eq 80 (for the final IP)
access-list acl_inside permit ip any any (to allow all other traffic, otherwise the implicit "deny all" would stop all traffic from flowing).
access-group acl_inside in interface inside (this applies the access-list to the interface. If this command is entered first, or the access-list is removed, then no traffic will flow through this interface.)
If the inside addresses were broken along subnet boundaries, the ACL would be much cleaner, and you could specify only allowing the 3 services. (assume the deny area of 192.168.168.64 255.255.255.192, for a range of 64-127)
access-list acl_inside deny tcp 192.168.168.64 255.255.255.192 any eq HTTP
access-list acl_inside permit ip any any
(If you only wanted to ALLOW the FTP, SMTP and POP3, and deny all others for this range, it would be similar to as follows)
access-list acl_inside permit tcp 192.168.168.64 255.255.255.192 any eq ftp
access-list acl_inside permit tcp 192.168.168.64 255.255.255.192 any eq smtp
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...