Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow or not?

Hi guys,

I have 2 interfaces on a Pix(out and in). If I will to allow only Http and FTP traffic on the inside to go out, I will create some list and permit port 80, port 20 and port 21 as destination ports. If thats the case, must I enter the source port as < 1023, which mean from 1024 to 65535 as my inside source port to connect destination port 20,21 and 80.

Am I right to say that? So if I open my source ports there is larger than 1023, doesnt that mean most of my ports are open for people to enter?

Please kindly advise.

9 REPLIES
Silver

Re: Allow or not?

Well i am not sure i understand your question. But just to clarify, when you make a connection from inside to outside, the PIX will create a translation entry based on the dst/src IP and port. If you access cisco.com on port 80 with source port 1025, then only cisco.com can reach you on port 1025 with source port 80 nobody else can as there is no translation.

I hope it is not too basic. Let me know if this helps.

New Member

Re: Allow or not?

Hi,

Actually, I know this theory. My question is should I really open ports > 1023 on my Pix inorder for my clients on the inside to surf Internet on the outside??? That should be the practice right?

Thanks for your previous reply.

Cisco Employee

Re: Allow or not?

I know what you mean. You want to know if you need to tell the PIX to allow your inside users to go out based on their src port, which is a random number between 1024 -65 535.

The answer is No, you should not open those ports. If you want inside users to allow resources on the outside over specific ports the configuration would be something like this

access-list outbound permit tcp host X any eq 80

access-list outbound permit tcp host X any eq 21

access-list outbound permit tcp host X any eq 20

access-group outbound in interface inside

Where host X a computer on the inside, you can replace it with the keyword "any"

Please check the access-list information by clicking the link below:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1067755

Please let me know if more information is needed.

Franco Zamora

New Member

Re: Allow or not?

regarding ftp traffic the PIX fixup will open the port 20 connection afterward ( assuming that you allow port 21 of course )

Gold

Re: Allow or not?

acl works in direction, either inbound or outbound. to determine whether it's inbound or outbound, think about the origin of the traffic.

e.g.

internal user browsing the internet is outbound; the return traffic from the internet back to the internal pc is inbound.

now, to permit outbound http and ftp, regardless what port being specified, any inbound traffic would still denied/blocked except the return traffic that is related to the outbound traffic made by an internal user in the first place.

Gold

Re: Allow or not?

usually no source port needs to be specified.

e.g.

access-list xxx permit tcp any eq 80

New Member

Re: Allow or not?

Hi guys,

thanks so much in your replies. Im using ASDM GUI to configure my Pix. There is this source's service port, its default is "service port = any". So should I just leave it as you all mentioned before? There is no way I can just leave the thing blank.

Thanks.

Gold

Re: Allow or not?

yes

New Member

Re: Allow or not?

I see... thank you guys so much... it seems quite simple. haha.

152
Views
0
Helpful
9
Replies
CreatePlease login to create content