Network Security: Detailed info on Re: Dumb Dumb Question

Subject:	Re: Dumb Dumb Question
Date:	Thu, 13 Jan 2005 08:44:32 -0800

Brad,

I have never set up MSN Messenger through a firewall, but the first
thing I do when I break something with an ACL is to check my syslog.

Make sure you are logging all blocked traffic. Test from a single
workstation so that you can search the log for a known IP address. That
should show you exactly what traffic is bouncing off your ACL.

If you don't have a syslog server you can find a free one here:

http://kiwisyslog.com 

Hope that helps.

Roger R. McLaren
Systems Support Analyst
Information Technology Services
Ventura County Superintendent of Schools Office

"Brad Davenport" <BDavenport@egisticsinc.com> 1/12/2005 9:14:25 AM

Ok,

 

 

 

I am having a hell of a time with some ACLs on a border device
attached
to our LAN.

 

 

 

I have a PIX which I am offloading some Processing to a 2600 from. I
need the ACLs which would allow MSN Messenger access to the LAN as
well
as file sharing. However, I have hunted down all the known ports for
MSN
and even with the ACL applied I get immediate log outs from the
clients
when the ACL is applied.

 

 

Take a look and see if perhaps I am missing something.

 

 

Thanks,

 

These deny statements are just in the interest of keeping port scans
from hitting my FW.

 

access-list 101 deny   tcp any any eq 135

access-list 101 deny   tcp any any eq 139

access-list 101 deny   tcp any any eq 445

access-list 101 deny   tcp any any range 3127 3198

access-list 101 deny   tcp any any eq 4899

access-list 101 permit ip host my.pub.ip. any

access-list 101 permit ip host my.pub.ip. any

access-list 101 permit ip host my.pub.ip. any

access-list 101 permit esp any any

access-list 101 permit gre any any

access-list 101 permit ahp any any

access-list 101 permit icmp any any

access-list 101 permit tcp any any eq 1023

access-list 101 permit udp any any eq 1701

access-list 101 permit tcp any any eq 1701

access-list 101 permit udp any any eq 1723

access-list 101 permit tcp any any eq 1723

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq 22

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq 47

access-list 101 permit udp any any eq domain

access-list 101 permit udp any any eq 92

access-list 101 permit tcp any any eq 443

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq 990

access-list 101 permit tcp any any eq 990

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq 10000

access-list 101 permit tcp any any eq 10000

access-list 101 permit udp any any eq 62515

access-list 101 permit udp any any eq 2070

access-list 101 permit tcp any any eq 2070

access-list 101 permit udp any any eq 2797

access-list 101 permit tcp any any eq 2797

BJD

 

 

Brad Davenport, Director

Network Services

eGistics Inc.

www.egisticsinc.com 

bdavenport@egisticsinc.com 

972-851-3131

214-995-5629

<Prev in Thread]	Current Thread	[Next in Thread>
Dumb Dumb Question, Brad Davenport RE: Dumb Dumb Question, Pablo Hauser Re: Dumb Dumb Question, Faisal Khan RE: Dumb Dumb Question, Cameron . Dry RE: Dumb Dumb Question, Andrew Shore RE: Dumb Dumb Question, Stong, Ian C. \(Contractor\) Re: Dumb Dumb Question, Roger McLaren <=

Previous by Date:	Fw: PIX 512E as VPN server : internal users ?, brian . wilkins
Next by Date:	Re: PIX 512E as VPN server : internal users ?, Matt Ostiguy
Previous by Thread:	RE: Dumb Dumb Question, Stong, Ian C. \(Contractor\)
Next by Thread:	Re: Establishing VPN tunnel between Checkpoint Express and Netscreen, G.Sivasubramanian
Indexes:	[Date] [Thread] [Top] [All Lists]