access list commands 1

[cahelmster]

What access-list command should I use to restrict a host from everything but web traffic? Should I permit all and then deny everything but www, or deny all but

http://www up

front?

Also, is it possible to use "ip" as a protocol in the command and restrict ports at the same time? I can't seem to get a command with "ip" to take unless I say "any" for port.

Thanks for all responses!

 

[yizhar]

HI.

If you have pix ver 6.xx and above, I recommend using PDM for access-list management.

The IP protocol has no port (only ip protocols).
To specify TCP ports, use TCP in your access list.

Here is an example to limit host 10.0.0.5:

access-list frominside permit tcp host 10.0.0.5 any eq 80
access-list frominside deny ip host 10.0.0.5 any
access-list frominside permit ip any any
access-group frominside in interface insdie

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[cahelmster]

I have version 5.2(6). How difficult is it to upgrade to 6.x?

On the access-lists, do I follow the complete example you gave me? It seems that the deny statement would reverse the first permit statement..

Thanks

 

[yizhar]

HI.

It's easy to upgrade - you just need to get the files,
and it might cost you.
You will also need the DES activation key to use PDM -
you can get this from your CISCO reseller (this should not cost you).

access list in CISCO devices are parsed from top to bottom until a match is found. The second line will only deny traffic that the first line isn't matching.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[cahelmster]

Thanks for your responses...

One more question...

Is there anyway to permit http traffic but disable file downloads from web sites and such?

Thanks