topic PIX 515E newbie question in Network Security

PIX 515E newbie question

pj_mtl — Fri, 21 Feb 2020 07:34:48 GMT

Hi,

I seem to be stuck with this issue. I scanned my firewall using www.grc.com. After the scan I seem to have a number of ports open aside from the ones that need to be open like 80 and 25. The port numbers that are currently open are 53,88,135,139,143,389,445,464,593,636,691,993,995,1026 & 1029. When I look at my config, I can`t seem to find anything that relates to those ports. I`d Like to close to ports, but I`m not sure if they are needed for the VPN. Here is a copy of my config. If anyone can point me in the right direction that would be greatly appreciated.

Thanks

Re: PIX 515E newbie question

piseli — Thu, 19 Aug 2004 16:49:07 GMT

Hi,

You have an access-list acl_out that allows any host to access your inside hosts with TCP. So you don't have any tcp protocol restriction.

access-list acl_out permit tcp any host x.y.3.54

access-list acl_out permit tcp any host x.y.3.53

static (inside,outside) X.X.X.X 192.168.0.2 netmask 255.255.255

static (inside,outside) X.X.X.X 192.168.0.83 netmask 255.255.25

Solution: You just have to create an access-list that filtere more specific.

example:

access-list acl-out permit udp any host MyPublicIPVPN eq isakmp

access-list acl-out permit esp any host MyPublicIPVPN

access-list acl-out permit ah any host MyPublicIPVPN

access-list acl_out permit tcp any host x.y.3.54 eq 80

access-list acl_out permit tcp any host x.y.3.54 eq 25

access-list acl_out permit tcp any host x.y.3.53 eq www

access-list acl_out permit tcp any host x.y.3.53 eq 25

The first 3 lines are for VPN, it allows all VPN Client to connect, the other 4 that follows are examples for smtp and www access-lists.

sincerly

Patrick

Re: PIX 515E newbie question

pj_mtl — Thu, 19 Aug 2004 17:19:34 GMT

So basically, if I understand this correctly, I`m basically wide open?

If I add the example you just gave me I should be fine? Or can I just remove the like access-list acl_out permit tcp any host x.y.3.54 ?

Thanks for your help

Re: PIX 515E newbie question

piseli — Thu, 19 Aug 2004 17:41:39 GMT

Yes, you are right you are wide open for anybody with TCP. The only limitation is your Servers security.

Yes you have to remove the old access-list lines but add the new ones before and after that remove the old ones with a NO statment:

no access-list acl_out permit tcp any host x.y.3.54

no access-list acl_out permit tcp any host x.y.3.53

sincerly

Patrick

Re: PIX 515E newbie question

pj_mtl — Tue, 24 Aug 2004 13:50:52 GMT

Thanks for you help Patrick.