Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
1
Replies

PIX and ISDN connection filters

sgozio
Level 1
Level 1

‎08-05-2003 07:52 AM - edited ‎02-20-2020 10:54 PM

Hi all.

This is my PIX configuration, I need deny all not interesting traffic like UDP 137 - UDP 138 - TCP 139.

I try to do it but when I add deny access-list role the ICMP traffic doesn't work.

I need to add this role on PIX.

PIX Version 6.3(2)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd yyyy encrypted

hostname PIX

domain-name cisco.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit icmp any any echo-reply

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 172.16.10.2 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Tks to all.

0 Helpful
1 Reply 1

yusuff
Cisco Employee
Cisco Employee

‎08-10-2003 05:13 PM

You ACL should look like this;

access-list outside deny tcp any any eq 137

access-list outside deny udp any any eq 137

access-list outside deny tcp any any eq 138

access-list outside deny udp any any eq 138

access-list outside deny tcp any any eq 139

access-list outside deny ucp any any eq 139

access-list outside permit icmp any any echo-reply

Apply the ACL to outside interface;

access-list outside in interface inside.

Hope that helps.

Regards

Yusuf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card