Deny access from inside interface

Hi,

Been trying to set up an acl that blocks ports from the inside out using the following:

access-list 102 line 1 deny tcp 192.168.1.3-192.168.1.33 any gt 1024 log

access-list 102 in interface inside

I' ve used the following also:

access-list 102 line 2 deny tcp 192.168.1.3-192.168.1.33 range 1025 65535 log

access-list 102 in interface inside

I'm sure that i'm missing something here possibly knowledge and know how?

Please help.

Thanks

Reply to
facciabruta
Loading thread data ...

I would do it as the following

access-list 102 permit tcp any any established access-list 102 permit tcp host 192.168.1.1 any access-list 102 permit tcp host 192.168.1.2 any access-list 102 permit tcp host 192.168.1.3 any access-list 102 deny tcp 192.168.1.0 0.0.0.31 any gt 1024 log access-list 102 deny tcp host 192.168.1.32 any gt 1024 log access-list 102 deny tcp host 192.168.1.33 any gt 1024 log permit ip any any

on the interface you want to leverage it ip access-group 102 in

I am assuming this is done on a Cisco ios router.

Good luck, Dan

Reply to
dladen

I should have indicated this is on a PIX 501, would the syntax be the same?

Thanks

Reply to
facciabruta

object-group network RestrictedHosts network-object host 192.168.1.3 network-object 192.168.1.4 255.255.255.252 network-object 192.168.1.8 255.255.255.248 network-object 192.168.1.16 255.255.255.240 network-object 192.168.1.32 255.255.255.254

access-list 102 deny tcp object-group RestrictedHosts any gt 1024 log access-list 102 permit ip any any

access-group 102 in interface inside

Reply to
Walter Roberson

Learn something new every day. I have never heard of the object-group prior to today.

Hopefully you are not hosting any resource to be accessed from the outside. The random client port will be blocked by the access list. I would not have a solution for this.

Reply to
dladen

It would have been useful to quote context. Most of the regular posters here do not use googlegroups as their newsreaders, so they cannot immediately see the previous messages.

In particular, your reply left out enough context to make it difficult for people to recognize that it is the Cisco PIX that is being discussed.

The Cisco PIX is a stateful firewall, not just a filter. When a new connection comes in from outside and an appropriate translation rule exists and the access lists permit the accesses, then the PIX will create the connection and automatically create a rule permitting the return traffic.

With the PIX, you could have a host that was open from the outside on all ports (permit ip any host WHATEVER) and which was not allowed to initiate new flows to the outside (deny ip host WHATEVER any), and that arrangement would not have any problems with return traffic, because the PIX knows add and remove the appropriate dynamic rules.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.