Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
2
Helpful
2
Replies

access-list

Go to solution
tony_ecmyy
Community Member

‎01-25-2005 10:12 PM - edited ‎02-20-2020 09:26 PM

Hi all,

In my network, 192.168.1.9 until 192.168.1.29 is not allowed to use msn messenger, smtp and ftp.

Is it correct i configure the access-list for example for 192.168.1.10 pc:

access-list acl_in deny tcp host 192.168.1.10 any eq 1863

access-list acl_in deny tcp host 192.168.1.10 any eq 21

access-list acl_in deny tcp host 192.168.1.10 any eq 25

access-list acl_in deny udp host 192.168.1.10 any eq 1503

access-list acl_in deny udp host 192.168.1.10 any range 5004 65535

Then I apply

access-group acl_in in interface outside

but nothing happen

Then I change to

access-group acl_in in interface inside

but the problem is all the pcs in network cannot access the internet and the traffic stop at all.

Already apply the clear xlate, but still the problem occur. Any help is highly appreciated

Thanks a lot

Tonny

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paddyxdoyle
Level 11
Level 11

‎01-26-2005 12:04 AM

Hi,

You need to apply this accesss-list to your inside interface as if you apply it to your outside interface it will only filter traffic coming into your PIX from the outside interface and not from the inside network to the outside which you are trying to achieve.

The reason that all other traffic is being dropped is that access-lists on Cisco devices have an implicit "deny ip any any" rule at the bottom.

So all packets that are not specifically listed in an access-list will be dropped by the last invisible rule.

In your case, you need to add "permit ip any any" as your last access-list rule on acl_in. This will permit all *other* traffic that you haven't specifically blocked in your access-list acl_in to traverse the PIX from the inside interface to lower securitity level intefaces.

This is assuming you have the correct NAT statements etc on your PIX

HTH

Paddy

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paddyxdoyle
Level 11
Level 11

‎01-26-2005 12:04 AM

Hi,

You need to apply this accesss-list to your inside interface as if you apply it to your outside interface it will only filter traffic coming into your PIX from the outside interface and not from the inside network to the outside which you are trying to achieve.

The reason that all other traffic is being dropped is that access-lists on Cisco devices have an implicit "deny ip any any" rule at the bottom.

So all packets that are not specifically listed in an access-list will be dropped by the last invisible rule.

In your case, you need to add "permit ip any any" as your last access-list rule on acl_in. This will permit all *other* traffic that you haven't specifically blocked in your access-list acl_in to traverse the PIX from the inside interface to lower securitity level intefaces.

This is assuming you have the correct NAT statements etc on your PIX

HTH

Paddy

0 Helpful

Go to solution
Tekmazter
Community Member

‎01-26-2005 06:52 PM

Just an FYI. Blocking port 1863 will not be enough to stop MSN Messenger on your network. You need to block availability to MSN login servers as well. messenger.msn.com I believe.

Customers Also Viewed These Support Documents