I have 2 interfaces on a Pix(out and in). If I will to allow only Http and FTP traffic on the inside to go out, I will create some list and permit port 80, port 20 and port 21 as destination ports. If thats the case, must I enter the source port as < 1023, which mean from 1024 to 65535 as my inside source port to connect destination port 20,21 and 80.
Am I right to say that? So if I open my source ports there is larger than 1023, doesnt that mean most of my ports are open for people to enter?
Well i am not sure i understand your question. But just to clarify, when you make a connection from inside to outside, the PIX will create a translation entry based on the dst/src IP and port. If you access cisco.com on port 80 with source port 1025, then only cisco.com can reach you on port 1025 with source port 80 nobody else can as there is no translation.
I hope it is not too basic. Let me know if this helps.
acl works in direction, either inbound or outbound. to determine whether it's inbound or outbound, think about the origin of the traffic.
internal user browsing the internet is outbound; the return traffic from the internet back to the internal pc is inbound.
now, to permit outbound http and ftp, regardless what port being specified, any inbound traffic would still denied/blocked except the return traffic that is related to the outbound traffic made by an internal user in the first place.
thanks so much in your replies. Im using ASDM GUI to configure my Pix. There is this source's service port, its default is "service port = any". So should I just leave it as you all mentioned before? There is no way I can just leave the thing blank.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :