Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Outbound access from PIX515

Need to allow outbound access *only* on PIX515. I have read on ACL, access groups, etc, etc. I am confused as to which is best to make sure no security leaks.

example:

server nic 1 - 10.1.30.38

server nic 2 - 10.1.30.39

pix - outside x.x.81.254

port needed for outbound: 9001

what is the correct syntax for setting up outbound ACL (or access group) to open *only* this port outbound.

any help is appreciated.

3 REPLIES
Gold

Re: Outbound access from PIX515

Hi Terry -

If want outbound ACL just for the specified port (9001) then you'd do the following:

You need to create ACL on the inside interface i.e.

> access-list inside permit tcp host any eq 9001

Now configure the above ACL to the inside interface with the following:

> access-group inside in interface inside

The above ACL will only allow outbound traffic for port 9001, the best way to write a ACL would be on text editor (notepad) as follows:

no access-list inside

access-list inside permit tcp host any eq 9001

access-group inside in interface inside

..then copy the above and in config mode on the pix paste back in, make sure to do wr m (write memory) and that should do it. Also it would be good to use a static ip address for the inside host rather then a dynamic ip address (DHCP IP Address).

Of course I don't really know which pix IOS you are running but if are running pix IOS version 6.0+ then the above should be okay.

Hope this helps -

New Member

Re: Outbound access from PIX515

Access-list is not accurate, it should be:

access-list inside permit tcp host eq 9001 any

But the right answer is :

access-list inside deny ip any any

Gold

Re: Outbound access from PIX515

Okay David -

Yes, I forgot to add the ACL line > access-list inside deny ip any any

Thanks for the observation -

Jay.

140
Views
0
Helpful
3
Replies