Network Security: Detailed info on RE: Dumb Dumb Question

Subject:	RE: Dumb Dumb Question
Date:	Thu, 13 Jan 2005 07:18:59 -0500

Hi Brad,
 
One suggestion would be to put a specific "access-list 101 deny ip any any
log" as the very last line.  Then look at the logs on the router (ensure you
have logging monitor set to level 6 or 7) and console in or else telnet in
and do a term monitor.
 
 
Thanks,
 
Ian
www.ccie4u.com <http://www.ccie4u.com> 
 

-----Original Message-----
From: Brad Davenport [mailto:BDavenport@egisticsinc.com]
Sent: Wednesday, January 12, 2005 12:14 PM
To: firewalls@securityfocus.com
Subject: Dumb Dumb Question



Ok,

 

 

 

I am having a hell of a time with some ACLs on a border device attached to
our LAN.

 

 

 

I have a PIX which I am offloading some Processing to a 2600 from. I need
the ACLs which would allow MSN Messenger access to the LAN as well as file
sharing. However, I have hunted down all the known ports for MSN and even
with the ACL applied I get immediate log outs from the clients when the ACL
is applied.

 

 

Take a look and see if perhaps I am missing something.

 

 

Thanks,

 

These deny statements are just in the interest of keeping port scans from
hitting my FW.

 

access-list 101 deny   tcp any any eq 135

access-list 101 deny   tcp any any eq 139

access-list 101 deny   tcp any any eq 445

access-list 101 deny   tcp any any range 3127 3198

access-list 101 deny   tcp any any eq 4899

access-list 101 permit ip host my.pub.ip. any

access-list 101 permit ip host my.pub.ip. any

access-list 101 permit ip host my.pub.ip. any

access-list 101 permit esp any any

access-list 101 permit gre any any

access-list 101 permit ahp any any

access-list 101 permit icmp any any

access-list 101 permit tcp any any eq 1023

access-list 101 permit udp any any eq 1701

access-list 101 permit tcp any any eq 1701

access-list 101 permit udp any any eq 1723

access-list 101 permit tcp any any eq 1723

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq 22

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq 47

access-list 101 permit udp any any eq domain

access-list 101 permit udp any any eq 92

access-list 101 permit tcp any any eq 443

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq 990

access-list 101 permit tcp any any eq 990

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq 10000

access-list 101 permit tcp any any eq 10000

access-list 101 permit udp any any eq 62515

access-list 101 permit udp any any eq 2070

access-list 101 permit tcp any any eq 2070

access-list 101 permit udp any any eq 2797

access-list 101 permit tcp any any eq 2797

BJD

 

 

Brad Davenport, Director

Network Services

eGistics Inc.

www.egisticsinc.com <http://www.egisticsinc.com> 

bdavenport@egisticsinc.com <mailto:bdavenport@egisticsinc.com> 

972-851-3131

214-995-5629

<Prev in Thread]	Current Thread	[Next in Thread>
Dumb Dumb Question, Brad Davenport RE: Dumb Dumb Question, Pablo Hauser Re: Dumb Dumb Question, Faisal Khan RE: Dumb Dumb Question, Cameron . Dry RE: Dumb Dumb Question, Andrew Shore RE: Dumb Dumb Question, Stong, Ian C. \(Contractor\) <= Re: Dumb Dumb Question, Roger McLaren

Previous by Date:	RE: Dumb Dumb Question, Andrew Shore
Next by Date:	Fw: PIX 512E as VPN server : internal users ?, brian . wilkins
Previous by Thread:	RE: Dumb Dumb Question, Andrew Shore
Next by Thread:	Re: Dumb Dumb Question, Roger McLaren
Indexes:	[Date] [Thread] [Top] [All Lists]