Allow or not?

kengyiam · ‎02-20-2006

Hi guys,

I have 2 interfaces on a Pix(out and in). If I will to allow only Http and FTP traffic on the inside to go out, I will create some list and permit port 80, port 20 and port 21 as destination ports. If thats the case, must I enter the source port as < 1023, which mean from 1024 to 65535 as my inside source port to connect destination port 20,21 and 80.

Am I right to say that? So if I open my source ports there is larger than 1023, doesnt that mean most of my ports are open for people to enter?

Please kindly advise.

attrgautam · ‎02-21-2006

Well i am not sure i understand your question. But just to clarify, when you make a connection from inside to outside, the PIX will create a translation entry based on the dst/src IP and port. If you access cisco.com on port 80 with source port 1025, then only cisco.com can reach you on port 1025 with source port 80 nobody else can as there is no translation.

I hope it is not too basic. Let me know if this helps.

kengyiam · ‎02-21-2006

Hi,

Actually, I know this theory. My question is should I really open ports > 1023 on my Pix inorder for my clients on the inside to surf Internet on the outside??? That should be the practice right?

Thanks for your previous reply.

fzamora · ‎02-21-2006

I know what you mean. You want to know if you need to tell the PIX to allow your inside users to go out based on their src port, which is a random number between 1024 -65 535.

The answer is No, you should not open those ports. If you want inside users to allow resources on the outside over specific ports the configuration would be something like this

access-list outbound permit tcp host X any eq 80

access-list outbound permit tcp host X any eq 21

access-list outbound permit tcp host X any eq 20

access-group outbound in interface inside

Where host X a computer on the inside, you can replace it with the keyword "any"

Please check the access-list information by clicking the link below:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755

Please let me know if more information is needed.

Franco Zamora

fausto-oliveira · ‎02-21-2006

regarding ftp traffic the PIX fixup will open the port 20 connection afterward ( assuming that you allow port 21 of course )

jackko · ‎02-21-2006

acl works in direction, either inbound or outbound. to determine whether it's inbound or outbound, think about the origin of the traffic.

e.g.

internal user browsing the internet is outbound; the return traffic from the internet back to the internal pc is inbound.

now, to permit outbound http and ftp, regardless what port being specified, any inbound traffic would still denied/blocked except the return traffic that is related to the outbound traffic made by an internal user in the first place.

jackko · ‎02-21-2006

usually no source port needs to be specified.

e.g.

access-list xxx permit tcp any eq 80

kengyiam · ‎02-21-2006

Hi guys,

thanks so much in your replies. Im using ASDM GUI to configure my Pix. There is this source's service port, its default is "service port = any". So should I just leave it as you all mentioned before? There is no way I can just leave the thing blank.

Thanks.

jackko · ‎02-21-2006

yes

kengyiam · ‎02-21-2006

I see... thank you guys so much... it seems quite simple. haha.