sorry just a copy paste mistake
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq www
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq smtp
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq ftp
> access-list acl_in deny tcp any any
> access-list acl_in deny udp any any
> access-group acl_in in interface inside
-----Original Message-----
From: MikeN [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 8:16 PM
To: [EMAIL PROTECTED]
Subject: Re: Ports with PIX Firewall [7:12625]
It is my understanding that the PIX parses an ACL from top to
bottom......the same as a router does. First match wins. Conduits looks at
the entire list and then chooses the best match. Based on this, the ACL
listed below will deny all TCP and UDP packets and therefore never even get
to the permit statements.
I would be very interested in hearing how this ACL works.
Thank you,
MikeN
""Farhan Ahmed"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> just put
>
> access-list acl_in deny tcp any any
> access-list acl_in deny udp any any
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq www
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq smtp
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq ftp
> access-group acl_in in interface inside
>
> let me know
>
> Building configuration...
> : Saved
> :
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
>
> enable password 2KFQnbNIdI.2KYOU encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
>
>
>
> access-list ping_acl permit icmp any any
> access-list ping_acl permit tcp any any eq www
> access-list ping_acl permit tcp any any
> access-list ping_acl permit udp any any
> access-list acl_out permit icmp any any
> access-list acl_out permit tcp any any eq www
> access-list acl_out permit tcp any any
> access-list acl_out permit udp any any
>
>
> pager lines 24
>
> interface ethernet0 100basetx
> interface ethernet1 100basetx
>
> mtu outside 1500
> mtu inside 1500
> mtu ndtv 1500
> ip address outside 172.110.0.2 255.255.0.0
> ip address inside 172.100.0.1 255.255.0.0
>
> ip audit info action alarm
> ip audit attack action alarm
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
>
> pdm history enable
> arp timeout 600
> global (outside) 1 202.196.214.40-202.196.214.45 netmask 255.255.255.224
> global (outside) 1 202.196.214.46
>
> nat (inside) 1 172.100.0.0 255.255.0.0 0 0
>
> access-group acl_out in interface outside
> access-group ping_acl in interface inside
>
> route outside 0.0.0.0 0.0.0.0 172.110.0.1 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> no floodguard enable
> no sysopt route dnat
>
> telnet 172.100.0.0 255.255.0.0 inside
> telnet 172.120.0.0 255.255.0.0 inside
>
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> Cryptochecksum:b27e96cd58b6c27b71ff163898579460
> [OK]
> pixfirewall#
> > -----Original Message-----
> > From: Support [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 17, 2001 2:54 PM
> > To: [EMAIL PROTECTED]
> > Subject: Ports with PIX Firewall
> >
> > Dear Farhan,
> >
> > This is my configuration.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12835&t=12625
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
