Hello. Is there a way I can open all ports to a particular IP except ports
25 and 110? I know the command "access-list outside_in permit ip any host 209.x.y.z" will open all ports. I would like to open all ports to this IP except for 25 and 110. Is this possible? Thanks.
access-list outside_in deny tcp any host 209.x.y.z eq 25 access-list outside_in deny tcp any host 209.x.y.z eq 110 access-list outside_in permit ip any host 209.x.y.z
So the deny lines have to go before permit line in the config?
Yes, ACL's are read from top to bottom....
this seems just to be true for tcp?
(but i didn't really understand the origin question)
is it possible to set it like: . order deny -> allow for host w.x.y.z - allow all - deny 25 - deny 10
like on many other firewalls?
Niels.
Any device that lets you define rule sets to control whats permitted has a specified syntax for how you define it and coresponding semantics for how it operates.
Some are first match wins, some are last match wins, some might allow you to specify which way you prefer it.
Cisco tends to be in the first match wins category.
Correct, that will block only tcp ports 25 and 110 and will permit everything else through (providing there is a corresponding address translation.) I did make an assumption in my answer: the original poster mentioned only ports "25" and "110" and did not specify whether they meant tcp or udp, but TCP 25 and TCP 110 are *much* more common than UDP 25 or UDP 110.
Not on a PIX or ASA or under IOS: access lists on those devices are always read top to bottom. (There are -some- aspects of the PIX for which the order is irrelevant; those are described in the documentation of the 'static' command.)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.