what's wrong with my configuration

[kse]

Hi everyone

the following are access-list in pix firewall 501 and it is working OK

access-list 101 permit tcp any host xx.xx.xx.xx eq pop3

access-list 101 permit tcp any host xx.xx.xx.xx eq smtp

access-list 101 permit tcp any host xx.xx.xx.xx eq www

access-list 101 permit tcp any host xx.xx.xx.xx eq 443

access-group 101 in interface outside

now, I want to block ms messenger so that my staff can't use it what I did is I added the following

access-list 101 deny tcp any any eq 1863

access-group 101 in interface inside

after that no one has access to the internet when I remove the access-list that I added I get the internet
back

what's wrong in my configuration, any one can help

Thanks

 

[tbissett]

An access-list, when applied, denies all traffic by default if none of the rules match. To deny traffic to that port, yet allow everything else through, you can use the following access-list:
access-list 101 deny tcp any any eq 1863
access-list 101 permit ip any any

It is important that the two lines are in the above order as access-lists match from the top down.

 

[br0ck]

I agree with the post above

another thig looks funny to me

Are you trying to apply access-l 101 to the inside interface

if so why

Correct me if i am wrong but you can only apply access groups to one interface
inside or outside

in my experience you should be applying access lists to the outside interface

it would help if you post more of your config

 

[dopehead]

No, you can actually have an acl on each interface, but you shouldn't use the same one for both interfaces. You should create another one for the inside interface.

Jan

 

[kse]

Thanks to all of you

tbissett, thanks for the tip I'll try that

Br0ck I agree with dopehead yes you can do it, I don't want my staff (inside) to use ms messenger


dopehead I think you are right I have to give different acl to the inside interface I think thats what I missed if this didn't work I'll try tbissett way

thanks guys

 

[kse]

tbissett I added the acces-list as you mentioned still my internet connection goes off

dopehead I did what you said but but no effect how can I do it what I did I created a new access-list for inside then I applied it to the interface using access-group
but no effect

 

[blackbug1319]

Hi Friends,
Some basics about acl..you can correct me if I am wrong.
There can be only one access-list per protocol per interface.
You can apply access-lists on the outside and interface as well.It all depends on whether the nature of the traffic is inbound or outbound.
Since the access-lists follow the restrictive policy( anything not permiited is denied by default therefore in the above scenario the traffic is getting blocked.
access-list 101 permit ip any any
will be correct.
YOU CANNOT APPLY THE SAME ACCESS-LIST TO THE OUTSIDE AS WELL AS THE INSIDE INTERFACE USING THE ACCESS GROUP COMMAND.That will be fundamentally incorrect.

I hope that helps.

Have fun

Blackbug

 

[kse]

Blackbug what I did I created a different access-list for inside and then I applied access-group to it but didn't work

after I denied tcp connection to 1836 I added access-list 101 permit ip any any but didn't work this is done before I tried the other solution which is creating a different access-list for inside
how can I do it
Thanks for your help

 

[dopehead]

So how does the config look now after all these changes ?
I am having problems with understanding exactly what your config looks like now, and please post the actual config, not the commands you entered, since there might be differences in those.

Jan

 

[kse]

Here you go dopehead this is my current configuration
I removed the access-list that you mentioned and also tbisset's one

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password UbkFu0mKzcASmjyx encrypted
passwd UbkFu0mKzcASmjyx encrypted
hostname xxxxxxx
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol h323 1720
names
name 192.168.11.2 Exchange-Server

access-list 101 permit tcp any host x.x.x.x eq pop3
access-list 101 permit tcp any host x.x.x.x eq smtp
access-list 101 permit tcp any host x.x.x.x eq www

access-list 101 deny tcp any any eq irc
access-list 101 deny tcp any host x.x.x.x eq 1137
access-list 101 deny tcp any any eq 443

logging on
logging timestamp
logging buffered informational
logging trap informational
logging host inside Exchange-Server
interface ethernet0 auto
interface ethernet1 auto

mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside 192.168.11.1 255.255.255.0

ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0

pdm location Exchange-Server 255.255.255.255 inside

pdm location x.x.x.x 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x
global (outside) 1 x.x.x.x
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
static (inside,outside) x.x.x.x Exchange-Server netmask 255.255.255.255 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat