PIX 515E Access-List 1

[T3st1ng]

Inexperienced with the PIX - how do I allow incoming and outgoing traffic on a specific port, i.e. 5000?

 

[ixleplix]

access-list ACLName (permit or deny) (tcp or udp) RemoteAddress RemoteMask DestinationAddress DestinationMask eq PortNumber

If your outside interface is 201.36.25.1 and you want to allow traffic from anyone to access TCP port 5000 then the acl statement would read:

access-list 100 permit tcp any host 201.36.25.1 eq 5000

For UDP 5000:

access-list 100 permit udp any host 201.36.25.1 eq 5000
Note* "any" is a keyword that means 0.0.0.0 0.0.0.0 or any address. "host" is a keyword that means a mask of 255.255.255.255--but is placed in front of the IP it references instead of behind it.

If you wanted to only allow traffic from 200.20.2.0/24 to access those ports, the ACL statments would read:

access-list 100 permit tcp 200.20.2.0 255.255.255.0 host 201.36.25.1 eq 5000
access-list 100 permit udp 200.20.2.0 255.255.255.0 host 201.36.25.1 eq 5000

now you also must add the statement

access-group 100 in interface outside

Or it won't work.

What's ADD again?

 

[T3st1ng]

What if I want to allow traffic in and out on those ports?
Would I still use the access-group 100 in interface outside command?

 

[ChrisAC]

Yes, you still must apply the ACL to the interface.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[ixleplix]

On the PIX, outbound traffic is allowed by default. You have to create ACL rules to allow inbound.

What's ADD again?

 

[T3st1ng]

I created an ACL based on the info above to allow traffic on 10000 and 1723, but it does not appear to be working. When I type sh access-li I do not see any hit counts for the new list I created, nor can I connect to the VPN.

In addition, when I type "sh config" I can see my other access-lists in the list, but not the new one I created.

Here is the access list I created:

access-list 100; 5 elements
access-list 100 line 1 permit tcp any any eq 10000
access-list 100 line 2 permit tcp any any eq pptp
access-list 100 line 3 permit udp any any eq 1723
access-list 100 line 4 permit udp any any eq 10000
access-list 100 line 5 permit tcp host XXX.XXX.XXX.XXX any


(Please note that the X's are replacing the Remote VPN IP Address, and I added that only after the first four lines did not work)

After I created the access list, i entered the following to apply:

access-group 100 in int outside


Any ideas?

 

[T3st1ng]

Also, my PIX version is 6.3(4)

 

[ixleplix]

What exactly are you trying to do? Is this traffic destined for a particular inside device? If it is, you need a static mapping as well.

You mention a VPN. Where does that come into play? An access-list applied to the outside interface will not affect VPN traffic--it bypasses it.

Why don't you post your entire config--minus the sensitive data and give a detailed explanation of what you are trying to accomplish.

If you didn't write to memory, then you can reboot and the changes will be gone.

Thanks
Roland

What's ADD again?