Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Best practices for blocking ports?

So with the ever increasing number of ports that i would like to block from my students I'm wondering if there is a way to block all, then only allow the ones that are necessary. I'm fairly new to this so forgive me if this idea is really stupid.

Right now I have way too long of an access list on my router (really hurting performance) and I would like to block on my PIX 515 instead.

thanks, laura

2 REPLIES

Re: Best practices for blocking ports?

Yes, permit only what you want and deny the rest. Remember, access-lists are read top to bottom. Place the permits at the beginning and deny at the end. And yes, off load that work to your PIX. With the PIX it will deny by default all inbound traffic from a lower security interface to a higher security interface not specifically permitted (and logs it by default).

eg. access-list permit tcp any any eq 80

access-list permit tcp any any eq 25

access-list permit tcp any any eq 21

access-list deny ip any any (not necessary to add but add it anyway, also you may want to add "log" at the end if a router).

Hope it helps.

Steve

Community Member

Re: Best practices for blocking ports?

Wonderful.... I was hoping i was on the right track...

thanks so much for your help steve

91
Views
0
Helpful
2
Replies
CreatePlease to create content